Malware Analysis Report

2025-03-15 01:38

Sample ID 230910-kkyqqsfh55
Target a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75
SHA256 a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75

Threat Level: Known bad

The file a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 08:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 08:40

Reported

2023-09-10 08:42

Platform

win10-20230831-en

Max time kernel

129s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe
PID 4712 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe
PID 4712 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe
PID 2496 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe
PID 2496 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe
PID 2496 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe
PID 4952 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe
PID 4952 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe
PID 4952 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe
PID 4952 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe
PID 4952 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe
PID 4952 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75.exe

"C:\Users\Admin\AppData\Local\Temp\a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe

MD5 09754633c2e19c71b229c49f2a712062
SHA1 a5c6bb61c3f4c690753586f81dacd7a744531a06
SHA256 5f44d4f273e05debab14f803551f2f3babb350ee6250180534279120dce1d651
SHA512 96b0cf1042721e4950d624ec0b912b669ef1b1284645b34bc652387a7fbb78a79761f204318d9c8e57812802efff94372f7bee7c3f2a7310706586d442eeef98

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe

MD5 09754633c2e19c71b229c49f2a712062
SHA1 a5c6bb61c3f4c690753586f81dacd7a744531a06
SHA256 5f44d4f273e05debab14f803551f2f3babb350ee6250180534279120dce1d651
SHA512 96b0cf1042721e4950d624ec0b912b669ef1b1284645b34bc652387a7fbb78a79761f204318d9c8e57812802efff94372f7bee7c3f2a7310706586d442eeef98

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe

MD5 b377f1e1e9e38e1c13349a2f77c08980
SHA1 bdd68feefc3458e332e2b3614edf9c83ad484182
SHA256 a84e87ed78dea542fd674ff902f9aeffd2b22f145ca22731e564be9804c1ea47
SHA512 3f764672b1e928882cd8b947dad4f5dc5611a1dcc65e07fa0d8d0d87b167503940338db9b8434f2202fac96e61a3d257aea253ed714c295e9c8c21cc0dc08c8c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe

MD5 b377f1e1e9e38e1c13349a2f77c08980
SHA1 bdd68feefc3458e332e2b3614edf9c83ad484182
SHA256 a84e87ed78dea542fd674ff902f9aeffd2b22f145ca22731e564be9804c1ea47
SHA512 3f764672b1e928882cd8b947dad4f5dc5611a1dcc65e07fa0d8d0d87b167503940338db9b8434f2202fac96e61a3d257aea253ed714c295e9c8c21cc0dc08c8c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe

MD5 ea3e6fc76e0f664e6d2e867ac7da718d
SHA1 71d9f296840be41ff4dc700468f4c24b30d38e79
SHA256 5b1c99eac7565b5aab61850cdb939e3e8cbdea2bebb2e9059a8156be94f2b75f
SHA512 9491cf4ce050975d7a9b665f79639259f6645f7ee050ebe62618a6cdc9c9117cc993f63e7bc73a82150e2efcd91d9d5cb40bba5c1b0c3ce52299fd2502d2fe60

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe

MD5 ea3e6fc76e0f664e6d2e867ac7da718d
SHA1 71d9f296840be41ff4dc700468f4c24b30d38e79
SHA256 5b1c99eac7565b5aab61850cdb939e3e8cbdea2bebb2e9059a8156be94f2b75f
SHA512 9491cf4ce050975d7a9b665f79639259f6645f7ee050ebe62618a6cdc9c9117cc993f63e7bc73a82150e2efcd91d9d5cb40bba5c1b0c3ce52299fd2502d2fe60

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe

MD5 2f5e12e59ed8f86487aeccba80873091
SHA1 98fcefdb703618ef0418e6286997190a64400daa
SHA256 b7cbf5cc024a86f2847f7a2b8339eacf1735f5e88d73418b18e67bb737a85365
SHA512 c5dc958dfb162016ca71a1680e6b87ab5559cb708b4c8694ac8d4d59182fc628f7d54dc4217ae18ab5a0944a7a58d96632197a3eb27d607f07068228baea446b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe

MD5 2f5e12e59ed8f86487aeccba80873091
SHA1 98fcefdb703618ef0418e6286997190a64400daa
SHA256 b7cbf5cc024a86f2847f7a2b8339eacf1735f5e88d73418b18e67bb737a85365
SHA512 c5dc958dfb162016ca71a1680e6b87ab5559cb708b4c8694ac8d4d59182fc628f7d54dc4217ae18ab5a0944a7a58d96632197a3eb27d607f07068228baea446b

memory/292-24-0x0000000000270000-0x00000000002A0000-memory.dmp

memory/292-25-0x00000000738C0000-0x0000000073FAE000-memory.dmp

memory/292-26-0x0000000000B80000-0x0000000000B86000-memory.dmp

memory/292-27-0x000000000A810000-0x000000000AE16000-memory.dmp

memory/292-28-0x000000000A310000-0x000000000A41A000-memory.dmp

memory/292-29-0x0000000002670000-0x0000000002682000-memory.dmp

memory/292-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/292-31-0x0000000004D10000-0x0000000004D5B000-memory.dmp

memory/292-32-0x00000000738C0000-0x0000000073FAE000-memory.dmp