Malware Analysis Report

2025-03-15 01:40

Sample ID 230910-kcz9lafg2w
Target b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66
SHA256 b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66

Threat Level: Known bad

The file b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 08:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 08:28

Reported

2023-09-10 08:30

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3704 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe
PID 3704 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe
PID 3704 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe
PID 4552 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe
PID 4552 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe
PID 4552 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe
PID 2916 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe
PID 2916 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe
PID 2916 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe
PID 2916 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe
PID 2916 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe
PID 2916 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66.exe

"C:\Users\Admin\AppData\Local\Temp\b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
RU 5.42.92.211:80 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.121.18.2.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe

MD5 aa0f2c7c178bf410dabdd9966bc797b6
SHA1 a5428edb56c0340db3e9fe2442cd722ca1b89273
SHA256 30020020da0e8d00593ea90883aad11494098407a108a94e27e3ca2fda31155d
SHA512 b6068f3badf72ef789d509f4bf520ce0e879411f84bd9892fe654d4976565d21975d13ed3f1a9b0d317fb3839dddd24f5c8ec25cc3672bfcaf2557b5df979f0a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe

MD5 aa0f2c7c178bf410dabdd9966bc797b6
SHA1 a5428edb56c0340db3e9fe2442cd722ca1b89273
SHA256 30020020da0e8d00593ea90883aad11494098407a108a94e27e3ca2fda31155d
SHA512 b6068f3badf72ef789d509f4bf520ce0e879411f84bd9892fe654d4976565d21975d13ed3f1a9b0d317fb3839dddd24f5c8ec25cc3672bfcaf2557b5df979f0a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe

MD5 63e464f314d790e4a843741c8ee5728f
SHA1 f395da808009d57e2be3ae7d45179097b243a228
SHA256 94e18f06b510267badaf3085ff761183799c96a4eba2843e82bf7f3eeeed721d
SHA512 4ba4f0e3047421507f6e8883fce6c86cb3615e086d16e1e243f54b7a04e9a7f47362a101e4336a196d21b75d7d9cd9dd3ee003134c3e0b4d63d462a8cc7627b7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe

MD5 63e464f314d790e4a843741c8ee5728f
SHA1 f395da808009d57e2be3ae7d45179097b243a228
SHA256 94e18f06b510267badaf3085ff761183799c96a4eba2843e82bf7f3eeeed721d
SHA512 4ba4f0e3047421507f6e8883fce6c86cb3615e086d16e1e243f54b7a04e9a7f47362a101e4336a196d21b75d7d9cd9dd3ee003134c3e0b4d63d462a8cc7627b7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe

MD5 95b5eaa4779fba4f21ae26ff883ab1a3
SHA1 7f24374f0b6bec896109405686073aa8990aea3c
SHA256 9471476ba4a75e3350bf4c9cdd1582bfc059ddc94c622248d713c0556db9be5f
SHA512 241c82eee553c80c918f2191fa940c2d5cd421c6d7e51ce3d8803d60d7473d55b18607b6333540f263fa9edc8ede715a82d38dcf8280d39a8ce2e999a67dda88

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe

MD5 95b5eaa4779fba4f21ae26ff883ab1a3
SHA1 7f24374f0b6bec896109405686073aa8990aea3c
SHA256 9471476ba4a75e3350bf4c9cdd1582bfc059ddc94c622248d713c0556db9be5f
SHA512 241c82eee553c80c918f2191fa940c2d5cd421c6d7e51ce3d8803d60d7473d55b18607b6333540f263fa9edc8ede715a82d38dcf8280d39a8ce2e999a67dda88

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe

MD5 ecdfdd53993fcdac3bf755f29e52b8f2
SHA1 457e870ec06485181e382436c14559b9f5018236
SHA256 e1a2af5d0c1af4f3768e95208c3b251beaff317fac933de828b362c510712034
SHA512 4014e808c2410a808d54427114c8ebabe2266b849575b9c1b08e384583260d08382c94684867d559a5a60596d1e8aab594de920ec8fdc5af2b02598b07a016a6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe

MD5 ecdfdd53993fcdac3bf755f29e52b8f2
SHA1 457e870ec06485181e382436c14559b9f5018236
SHA256 e1a2af5d0c1af4f3768e95208c3b251beaff317fac933de828b362c510712034
SHA512 4014e808c2410a808d54427114c8ebabe2266b849575b9c1b08e384583260d08382c94684867d559a5a60596d1e8aab594de920ec8fdc5af2b02598b07a016a6

memory/3812-24-0x0000000000730000-0x0000000000760000-memory.dmp

memory/3812-25-0x0000000074170000-0x0000000074920000-memory.dmp

memory/3812-26-0x000000000ABE0000-0x000000000B1F8000-memory.dmp

memory/3812-27-0x000000000A6E0000-0x000000000A7EA000-memory.dmp

memory/3812-28-0x0000000005230000-0x0000000005240000-memory.dmp

memory/3812-29-0x000000000A620000-0x000000000A632000-memory.dmp

memory/3812-30-0x000000000A680000-0x000000000A6BC000-memory.dmp

memory/3812-31-0x0000000074170000-0x0000000074920000-memory.dmp

memory/3812-32-0x0000000005230000-0x0000000005240000-memory.dmp