Malware Analysis Report

2025-03-15 01:44

Sample ID 230910-k1deqsga52
Target a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd
SHA256 a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd

Threat Level: Known bad

The file a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 09:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 09:03

Reported

2023-09-10 09:06

Platform

win10-20230703-en

Max time kernel

129s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3180 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe
PID 3180 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe
PID 3180 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe
PID 4500 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe
PID 4500 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe
PID 4500 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe
PID 4624 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe
PID 4624 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe
PID 4624 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe
PID 4624 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe
PID 4624 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe
PID 4624 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd.exe

"C:\Users\Admin\AppData\Local\Temp\a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe

MD5 1aab740ecde0662d1aecf713c58b00a5
SHA1 01223131fa180b9310ec7752def8212ba9fbfd0b
SHA256 37b2a62c5e9f25dc77399bf706ae5e3c0dd9acc260b12654da73d284ba1ba4ad
SHA512 96a9c9a1947f903b96f5037f1c35b1eb7a754e3a025fb64c2cbe44b14bba1bd5850dd7354e288c4b98ea2e19580a759b6d8b2f94b58e00e937e45bd12edf48a8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe

MD5 1aab740ecde0662d1aecf713c58b00a5
SHA1 01223131fa180b9310ec7752def8212ba9fbfd0b
SHA256 37b2a62c5e9f25dc77399bf706ae5e3c0dd9acc260b12654da73d284ba1ba4ad
SHA512 96a9c9a1947f903b96f5037f1c35b1eb7a754e3a025fb64c2cbe44b14bba1bd5850dd7354e288c4b98ea2e19580a759b6d8b2f94b58e00e937e45bd12edf48a8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe

MD5 5747dcfd715baf8b76c4c4ab564f3dba
SHA1 96fd0616dde5c2a63bb2fe4e5dec6fd3d0a7bbcf
SHA256 0e29696b3d32c35c98a9b04c41b96a3071e278f7c450a703cba90f59189cb9e4
SHA512 3fe92cd99e6d8add131bce498c0a7ba04bfef5d9036d416d413b4073be85ac603f6c5e883088c16e75a774146fe942a9c09b553be25582381d5992bafa130d25

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe

MD5 5747dcfd715baf8b76c4c4ab564f3dba
SHA1 96fd0616dde5c2a63bb2fe4e5dec6fd3d0a7bbcf
SHA256 0e29696b3d32c35c98a9b04c41b96a3071e278f7c450a703cba90f59189cb9e4
SHA512 3fe92cd99e6d8add131bce498c0a7ba04bfef5d9036d416d413b4073be85ac603f6c5e883088c16e75a774146fe942a9c09b553be25582381d5992bafa130d25

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe

MD5 ae3847506c22f17b08bdc023ae9556cc
SHA1 62a39020a1136400374506ea42f6c92d96a07e3e
SHA256 412ca3c78e4d6a6d485afa65958012013d95cbb9e27368789b41f48ccdd3b6a6
SHA512 b477f854efcc5707446975658427560ab90f2d9113cca541fe23aafa47b4db81a925d64d165ecf47fe0a3f12f5affed8d6b95accd616a2d585e3843b16f5c2bc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe

MD5 ae3847506c22f17b08bdc023ae9556cc
SHA1 62a39020a1136400374506ea42f6c92d96a07e3e
SHA256 412ca3c78e4d6a6d485afa65958012013d95cbb9e27368789b41f48ccdd3b6a6
SHA512 b477f854efcc5707446975658427560ab90f2d9113cca541fe23aafa47b4db81a925d64d165ecf47fe0a3f12f5affed8d6b95accd616a2d585e3843b16f5c2bc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe

MD5 ebe90bd0c4935cbd06cebbf7e0105aec
SHA1 6181bd225af7ea88d30bd826309a16579b66eb69
SHA256 e364d795aeb8ae009f415a69fc0d4ae0b9ad950c2c4ef932b6dcd817a4c32858
SHA512 7206e7abc8648aad5a2b34de50110aec2139456d27e85d695f0488d4bae9996d856c6f5095cad7777e45ce62ed38f6e2a6e6f521aa7b9afc3bff836f450c3a15

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe

MD5 ebe90bd0c4935cbd06cebbf7e0105aec
SHA1 6181bd225af7ea88d30bd826309a16579b66eb69
SHA256 e364d795aeb8ae009f415a69fc0d4ae0b9ad950c2c4ef932b6dcd817a4c32858
SHA512 7206e7abc8648aad5a2b34de50110aec2139456d27e85d695f0488d4bae9996d856c6f5095cad7777e45ce62ed38f6e2a6e6f521aa7b9afc3bff836f450c3a15

memory/4880-24-0x00000000000E0000-0x0000000000110000-memory.dmp

memory/4880-25-0x0000000072BC0000-0x00000000732AE000-memory.dmp

memory/4880-26-0x00000000009D0000-0x00000000009D6000-memory.dmp

memory/4880-27-0x000000000A400000-0x000000000AA06000-memory.dmp

memory/4880-28-0x0000000009F00000-0x000000000A00A000-memory.dmp

memory/4880-29-0x0000000009E20000-0x0000000009E32000-memory.dmp

memory/4880-30-0x0000000009E80000-0x0000000009EBE000-memory.dmp

memory/4880-31-0x000000000A010000-0x000000000A05B000-memory.dmp

memory/4880-32-0x0000000072BC0000-0x00000000732AE000-memory.dmp