Malware Analysis Report

2024-10-16 03:50

Sample ID 240502-gf6zrsad4z
Target f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c
SHA256 f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c
Tags
healer redline zgrat dropper evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c

Threat Level: Known bad

The file f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c was found to be: Known bad.

Malicious Activity Summary

healer redline zgrat dropper evasion infostealer persistence rat trojan

Modifies Windows Defender Real-time Protection settings

ZGRat

Detects Healer an antivirus disabler dropper

Detect ZGRat V1

RedLine payload

RedLine

Healer

Detects executables packed with ConfuserEx Mod

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-02 05:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 05:45

Reported

2024-05-02 05:48

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe

"C:\Users\Admin\AppData\Local\Temp\f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3636 -ip 3636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe

MD5 70fad5d9c3ad01581c79278f9c66d972
SHA1 fb09bd9838bb98426271705ddd7a0f0c9e2584f3
SHA256 2ebcf392616d2eb2128f1cce9f537dfc98783d1595806ac0be0959fea856211c
SHA512 49c6550cde46e643754ea13bf8bfce59724e42cca08753956297f25b604d5ca89866718c66f1cc750158805fc7c74eb2f635bbb95d7d0049cbf0048813da60d8

memory/3636-10-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3636-9-0x0000000001F80000-0x0000000001FAD000-memory.dmp

memory/3636-8-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/3636-11-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3636-12-0x00000000023A0000-0x00000000023BA000-memory.dmp

memory/3636-13-0x0000000004C60000-0x0000000005204000-memory.dmp

memory/3636-14-0x0000000004B40000-0x0000000004B58000-memory.dmp

memory/3636-15-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-24-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-42-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-40-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-38-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-37-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-34-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-32-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-30-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-28-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-26-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-22-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-20-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-18-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-16-0x0000000004B40000-0x0000000004B53000-memory.dmp

memory/3636-45-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3636-46-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe

MD5 3ea494f11fa64d263fa40ef7b07c6c52
SHA1 f44d0431f2a36645701e4b04509eaeb946e8e7e7
SHA256 29779782e75937b7bb2e85096c1ee4b3a7db913b0b2991c583bb2e8918c8541c
SHA512 4c1ba94a57ed4ec18be4ab91805eb574016e64953105d06c4ebf754f56411b03f7b475901a98e5f7e16885035618bedc01f79bf035adc33d9215359802530ff5

memory/1108-52-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1108-53-0x00000000049E0000-0x0000000004A1C000-memory.dmp

memory/1108-54-0x0000000005010000-0x000000000504A000-memory.dmp

memory/1108-55-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1108-51-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1108-63-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-90-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-87-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-85-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-83-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-82-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-79-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-77-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-75-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-73-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-72-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-69-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-67-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-65-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-61-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-59-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-57-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-56-0x0000000005010000-0x0000000005045000-memory.dmp

memory/1108-848-0x0000000007530000-0x0000000007B48000-memory.dmp

memory/1108-849-0x0000000007BF0000-0x0000000007C02000-memory.dmp

memory/1108-850-0x0000000007C10000-0x0000000007D1A000-memory.dmp

memory/1108-851-0x0000000007D30000-0x0000000007D6C000-memory.dmp

memory/1108-852-0x00000000024C0000-0x000000000250C000-memory.dmp