Malware Analysis Report

2025-03-15 01:39

Sample ID 230910-kr54dsfh4w
Target 68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf
SHA256 68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf

Threat Level: Known bad

The file 68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 08:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 08:51

Reported

2023-09-10 08:53

Platform

win10-20230831-en

Max time kernel

128s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4384 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe
PID 4384 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe
PID 4384 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe
PID 1096 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe
PID 1096 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe
PID 1096 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe
PID 4740 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3702276.exe
PID 4740 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3702276.exe
PID 4740 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3702276.exe
PID 4740 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8704393.exe
PID 4740 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8704393.exe
PID 4740 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8704393.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf.exe

"C:\Users\Admin\AppData\Local\Temp\68b41fcbd8d3e14eb53ed345c7ae363b8e514fe6876ca55b94162a295e1f18bf.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3702276.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3702276.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8704393.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8704393.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe

MD5 2c713bbf8b4f376a12425b4a7942b392
SHA1 17c5d6ccdeef92ad324e7a2626e60acb42a9ee58
SHA256 1e4cfb6a3944ac3abbefeccc27257bea315abe341922d8c0280d97592a7f48e8
SHA512 982646776548809a0c3dbab0e3b25984a84713c5e208d2fe7423432ac3b833b5ce08c53ca564d0d16647cc6f749c842910c74262a3081f76274a0bda03c2d2e1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7376678.exe

MD5 2c713bbf8b4f376a12425b4a7942b392
SHA1 17c5d6ccdeef92ad324e7a2626e60acb42a9ee58
SHA256 1e4cfb6a3944ac3abbefeccc27257bea315abe341922d8c0280d97592a7f48e8
SHA512 982646776548809a0c3dbab0e3b25984a84713c5e208d2fe7423432ac3b833b5ce08c53ca564d0d16647cc6f749c842910c74262a3081f76274a0bda03c2d2e1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe

MD5 4f0792f856b2ffd4c6328154edd83312
SHA1 e6f53b060c844f41457e75af1fba56a630c8e446
SHA256 f23f753370bf56cbf3d8a1c048b7a2c77b54a64a287b1c518b50fd9a563f56ee
SHA512 62ce77b59f965d65631e510a3cd7d66e4aa46ab05b665a4527ed0f8133cad5d8db89f653ef8aa7746fb410e78dc6df8f227add3749ab5fb83679fd1d1aafb8fb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4355860.exe

MD5 4f0792f856b2ffd4c6328154edd83312
SHA1 e6f53b060c844f41457e75af1fba56a630c8e446
SHA256 f23f753370bf56cbf3d8a1c048b7a2c77b54a64a287b1c518b50fd9a563f56ee
SHA512 62ce77b59f965d65631e510a3cd7d66e4aa46ab05b665a4527ed0f8133cad5d8db89f653ef8aa7746fb410e78dc6df8f227add3749ab5fb83679fd1d1aafb8fb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3702276.exe

MD5 96a126307d6efa49f684d231e590b55d
SHA1 03cee59fe10fc01730f1af52cdf0b957aae63768
SHA256 6c91ebad6fd4fdaad1dd52c7d73ac3b0df910c6d2a5acb5d6926aa90a2b24a29
SHA512 a165325a0b5b52ac760748e12053724f3dfae350d8e67caed45f4be0009067c4b83c7187279c7afa7fc9ca7b2205b3ffb36a243ce64620d41aec727cf4f3eb8c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3702276.exe

MD5 96a126307d6efa49f684d231e590b55d
SHA1 03cee59fe10fc01730f1af52cdf0b957aae63768
SHA256 6c91ebad6fd4fdaad1dd52c7d73ac3b0df910c6d2a5acb5d6926aa90a2b24a29
SHA512 a165325a0b5b52ac760748e12053724f3dfae350d8e67caed45f4be0009067c4b83c7187279c7afa7fc9ca7b2205b3ffb36a243ce64620d41aec727cf4f3eb8c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8704393.exe

MD5 b691a99b44044e4e95e52ab394ef78a1
SHA1 0e10592da7a46be79f58846d846a51998c66d102
SHA256 bde9e9df44562df0e6c8a28e875077b2c00427ed548b9d97dd0efa8ac85cb7ec
SHA512 8618e76c9664c1e2d4fd828775c8af570d5f93c23fa526da0c7c1718a58e4ef953994725db42ec23ba693a507d982a5972bd0bbd9cce32beb457a0210b0a87d9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8704393.exe

MD5 b691a99b44044e4e95e52ab394ef78a1
SHA1 0e10592da7a46be79f58846d846a51998c66d102
SHA256 bde9e9df44562df0e6c8a28e875077b2c00427ed548b9d97dd0efa8ac85cb7ec
SHA512 8618e76c9664c1e2d4fd828775c8af570d5f93c23fa526da0c7c1718a58e4ef953994725db42ec23ba693a507d982a5972bd0bbd9cce32beb457a0210b0a87d9

memory/4204-24-0x0000000000940000-0x0000000000970000-memory.dmp

memory/4204-25-0x0000000073400000-0x0000000073AEE000-memory.dmp

memory/4204-26-0x0000000002C70000-0x0000000002C76000-memory.dmp

memory/4204-27-0x000000000AD10000-0x000000000B316000-memory.dmp

memory/4204-28-0x000000000A890000-0x000000000A99A000-memory.dmp

memory/4204-29-0x000000000A7C0000-0x000000000A7D2000-memory.dmp

memory/4204-30-0x000000000A820000-0x000000000A85E000-memory.dmp

memory/4204-31-0x000000000A9A0000-0x000000000A9EB000-memory.dmp

memory/4204-32-0x0000000073400000-0x0000000073AEE000-memory.dmp