Malware Analysis Report

2025-06-15 23:45

Sample ID 230213-sjg1lade2v
Target dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095
SHA256 dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095
Tags
redline crnn fusa discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095

Threat Level: Known bad

The file dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095 was found to be: Known bad.

Malicious Activity Summary

redline crnn fusa discovery evasion infostealer persistence spyware stealer trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-13 15:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-13 15:09

Reported

2023-02-13 15:11

Platform

win10-20220812-en

Max time kernel

56s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe N/A

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe
PID 2360 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe
PID 2360 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe
PID 4556 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe
PID 4556 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe
PID 4556 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe
PID 4556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe
PID 4556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe
PID 4556 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe
PID 2360 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe
PID 2360 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe
PID 2360 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe

"C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe

Network

Country Destination Domain Proto
DE 193.233.20.12:4132 tcp
RU 176.113.115.17:4132 tcp
IE 20.50.73.9:443 tcp
US 209.197.3.8:80 tcp

Files

memory/2360-120-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-121-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-122-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-123-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-124-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-125-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-126-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-127-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-128-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-129-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-130-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-131-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-132-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-133-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-134-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-135-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-136-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-137-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-138-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-139-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-140-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-141-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-142-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-143-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-144-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-145-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-146-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-148-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-147-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-149-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-150-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-151-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-152-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-153-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-154-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-155-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-156-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-157-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-159-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-160-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-158-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-161-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-162-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-163-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-164-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/2360-165-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-168-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-170-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-171-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-172-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-175-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-177-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-179-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-181-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-182-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-180-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-178-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-184-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-185-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-186-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-183-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-176-0x00000000776F0000-0x000000007787E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe

MD5 d901c40d66f39ce57245aebcc139a5ad
SHA1 0cdfe58bce9a8c9abedc65610c744383406f8ede
SHA256 bd87b9d04c03d49359727f4d60bc77f1de2411ff7b619dc593c18dabf9ef4c09
SHA512 4a5a66abe4db90bf14034113bcaf383a264fafbf1cfa236afb427acb9d0e45c07f73e47cc9b9c8f5ec111a1e5c5a00ae3f9ea2b24a061a05b2961824c05839ed

memory/4556-173-0x00000000776F0000-0x000000007787E000-memory.dmp

memory/4556-169-0x00000000776F0000-0x000000007787E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe

MD5 d901c40d66f39ce57245aebcc139a5ad
SHA1 0cdfe58bce9a8c9abedc65610c744383406f8ede
SHA256 bd87b9d04c03d49359727f4d60bc77f1de2411ff7b619dc593c18dabf9ef4c09
SHA512 4a5a66abe4db90bf14034113bcaf383a264fafbf1cfa236afb427acb9d0e45c07f73e47cc9b9c8f5ec111a1e5c5a00ae3f9ea2b24a061a05b2961824c05839ed

memory/4556-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe

MD5 da6f3bef8abc85bd09f50783059964e3
SHA1 a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256 e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA512 4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

memory/1416-215-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe

MD5 da6f3bef8abc85bd09f50783059964e3
SHA1 a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256 e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA512 4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

memory/1416-265-0x0000000000070000-0x00000000000A2000-memory.dmp

memory/1416-278-0x0000000004E10000-0x0000000005416000-memory.dmp

memory/1416-279-0x00000000049A0000-0x0000000004AAA000-memory.dmp

memory/1416-281-0x00000000048D0000-0x00000000048E2000-memory.dmp

memory/1416-283-0x0000000004930000-0x000000000496E000-memory.dmp

memory/1416-285-0x0000000004AB0000-0x0000000004AFB000-memory.dmp

memory/1416-290-0x0000000004CA0000-0x0000000004D06000-memory.dmp

memory/1416-298-0x0000000005B20000-0x000000000601E000-memory.dmp

memory/1416-299-0x0000000005810000-0x00000000058A2000-memory.dmp

memory/1416-301-0x00000000058B0000-0x0000000005926000-memory.dmp

memory/1416-302-0x0000000005930000-0x0000000005980000-memory.dmp

memory/1416-303-0x00000000061F0000-0x00000000063B2000-memory.dmp

memory/1416-304-0x00000000068F0000-0x0000000006E1C000-memory.dmp

memory/2928-312-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe

MD5 062a3c73b1aaf076abefd71633b66de5
SHA1 e4b7e004c32d673fd61b1669c797dc4b207d8445
SHA256 f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881
SHA512 6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe

MD5 062a3c73b1aaf076abefd71633b66de5
SHA1 e4b7e004c32d673fd61b1669c797dc4b207d8445
SHA256 f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881
SHA512 6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3

memory/2928-362-0x0000000000480000-0x00000000004B2000-memory.dmp

memory/4724-397-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe

MD5 1dfaea61e3959f902a94287e95ee6824
SHA1 a303be2ea1744692c8bf527568100d2182ddf58a
SHA256 1054db02a2bf17fa18d0f4422f9fa62893cd437bdb74d31225643b7c0c1861e6
SHA512 c69619f34be5345efd95a91d5771564651e521ff5cccad9b5ce694eed982344539bbfcb9f39bae0208b4a62c9215ca82f254715606a99cedabdf47ad0dcf7dd3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe

MD5 1dfaea61e3959f902a94287e95ee6824
SHA1 a303be2ea1744692c8bf527568100d2182ddf58a
SHA256 1054db02a2bf17fa18d0f4422f9fa62893cd437bdb74d31225643b7c0c1861e6
SHA512 c69619f34be5345efd95a91d5771564651e521ff5cccad9b5ce694eed982344539bbfcb9f39bae0208b4a62c9215ca82f254715606a99cedabdf47ad0dcf7dd3

memory/4724-453-0x0000000000B60000-0x0000000000B7A000-memory.dmp

memory/4724-458-0x00000000022D0000-0x00000000022E8000-memory.dmp

memory/4724-460-0x00000000008F1000-0x0000000000911000-memory.dmp

memory/4724-461-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/4724-463-0x0000000000400000-0x000000000056B000-memory.dmp

memory/4724-464-0x00000000008F1000-0x0000000000911000-memory.dmp

memory/4724-466-0x00000000008F1000-0x0000000000911000-memory.dmp

memory/4724-467-0x0000000000400000-0x000000000056B000-memory.dmp