Malware Analysis Report

2025-03-15 01:40

Sample ID 230910-k2ts4sga56
Target dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1
SHA256 dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1

Threat Level: Known bad

The file dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 09:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 09:06

Reported

2023-09-10 09:08

Platform

win10v2004-20230831-en

Max time kernel

130s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe
PID 4728 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe
PID 4728 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe
PID 4924 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe
PID 4924 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe
PID 4924 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe
PID 4064 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe
PID 4064 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe
PID 4064 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe
PID 4064 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe
PID 4064 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe
PID 4064 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1.exe

"C:\Users\Admin\AppData\Local\Temp\dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.153.27.67.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
RU 5.42.92.211:80 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe

MD5 4edea641c3a3132ed9bc073abdfc7d3b
SHA1 da0adef304a4ad76c302abc66f376105cd1e226b
SHA256 d34effcf4be765c829ccf687ff4601b83ac1e501df6f530e415e2066bbe37ea7
SHA512 7289963354cf49e75cbda2ceebb8598549d09a02782657888976d0459ad2f7c33ccb3bee64a22ef5b628e26d4dc005c062ea340633e21effdb7338f90cc7f5ae

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe

MD5 4edea641c3a3132ed9bc073abdfc7d3b
SHA1 da0adef304a4ad76c302abc66f376105cd1e226b
SHA256 d34effcf4be765c829ccf687ff4601b83ac1e501df6f530e415e2066bbe37ea7
SHA512 7289963354cf49e75cbda2ceebb8598549d09a02782657888976d0459ad2f7c33ccb3bee64a22ef5b628e26d4dc005c062ea340633e21effdb7338f90cc7f5ae

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe

MD5 6eb099dacb940e43311030eafdbc7a18
SHA1 1de5fc1f1df49ef33ebeb53c348a4114577669d8
SHA256 d0eb30dc908f2a8ced2144dccce4e2ebb755222cc904919b8423ee53d697e42d
SHA512 f3e5a9eb64580b12851c863c7d1be623912a3e5d083f532b498d182a83b1a57f54a4ce6908dc0813db34ea45b2aaa31113b2e635451ff3bf25cda5b278dc6067

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe

MD5 6eb099dacb940e43311030eafdbc7a18
SHA1 1de5fc1f1df49ef33ebeb53c348a4114577669d8
SHA256 d0eb30dc908f2a8ced2144dccce4e2ebb755222cc904919b8423ee53d697e42d
SHA512 f3e5a9eb64580b12851c863c7d1be623912a3e5d083f532b498d182a83b1a57f54a4ce6908dc0813db34ea45b2aaa31113b2e635451ff3bf25cda5b278dc6067

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe

MD5 ca85750cd4d1e4eb1d595cf691ef5248
SHA1 e41a572e57b0277f48fbfbb346b44bdd82bebcc1
SHA256 b140022ae179125093ddaee563e62198fe025ac98d937f7d0830df075e640919
SHA512 a882dd9e6245ac890a73f12889f38268f2ef67a30c62da0a66e1706da70db3f8d5fb273dd548b35aedcc00509e93cdf53f8dcdfb0af420621f92b9a62772469d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe

MD5 ca85750cd4d1e4eb1d595cf691ef5248
SHA1 e41a572e57b0277f48fbfbb346b44bdd82bebcc1
SHA256 b140022ae179125093ddaee563e62198fe025ac98d937f7d0830df075e640919
SHA512 a882dd9e6245ac890a73f12889f38268f2ef67a30c62da0a66e1706da70db3f8d5fb273dd548b35aedcc00509e93cdf53f8dcdfb0af420621f92b9a62772469d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe

MD5 d4d8a656f1d87a0b924acdd174af2ae8
SHA1 34d5f42bbc3bec2d5245d12499f2a051a0dddb6f
SHA256 fbcf1abc4e8dd1cacaae77f7bc8d661a85d8a19b2a9ad33168394440da99523f
SHA512 895d85aae56a4b763ffed9fef20b4db113e3265e960099ca991c6e753a2dc779b065fd8d24213c1248358c5a2f750cf9af119efff18bac63e282e8a47eeabcba

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe

MD5 d4d8a656f1d87a0b924acdd174af2ae8
SHA1 34d5f42bbc3bec2d5245d12499f2a051a0dddb6f
SHA256 fbcf1abc4e8dd1cacaae77f7bc8d661a85d8a19b2a9ad33168394440da99523f
SHA512 895d85aae56a4b763ffed9fef20b4db113e3265e960099ca991c6e753a2dc779b065fd8d24213c1248358c5a2f750cf9af119efff18bac63e282e8a47eeabcba

memory/1720-24-0x0000000000D40000-0x0000000000D70000-memory.dmp

memory/1720-25-0x0000000074130000-0x00000000748E0000-memory.dmp

memory/1720-26-0x000000000B0B0000-0x000000000B6C8000-memory.dmp

memory/1720-27-0x000000000ABB0000-0x000000000ACBA000-memory.dmp

memory/1720-28-0x000000000AAF0000-0x000000000AB02000-memory.dmp

memory/1720-29-0x0000000005700000-0x0000000005710000-memory.dmp

memory/1720-30-0x000000000AB50000-0x000000000AB8C000-memory.dmp

memory/1720-31-0x0000000074130000-0x00000000748E0000-memory.dmp

memory/1720-32-0x0000000005700000-0x0000000005710000-memory.dmp