Malware Analysis Report

2025-03-15 01:42

Sample ID 230910-lb9mbaga4w
Target 577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e
SHA256 577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e

Threat Level: Known bad

The file 577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 09:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 09:22

Reported

2023-09-10 09:25

Platform

win10-20230831-en

Max time kernel

128s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe
PID 4740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe
PID 4740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe
PID 2452 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe
PID 2452 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe
PID 2452 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe
PID 5104 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe
PID 5104 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe
PID 5104 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe
PID 5104 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe
PID 5104 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe
PID 5104 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe

Processes

C:\Users\Admin\AppData\Local\Temp\577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e.exe

"C:\Users\Admin\AppData\Local\Temp\577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe

MD5 0decf136562f529a28297998dd79ec55
SHA1 e7585d6b6cf090069c2ecf2a53eb4af673562c9b
SHA256 61bd5fa42e4b8fb63c1c2a2bf2e00323adf70b85167f50766d88e27611a2e72f
SHA512 f75402ca59adb5eebecb977caf4683a8f9464c6b4f7dee71fec8324aa9b29260d770d890d2f327c00c8bbabed207620dac27e1ab846e0654f05c4daaccf8efdb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe

MD5 0decf136562f529a28297998dd79ec55
SHA1 e7585d6b6cf090069c2ecf2a53eb4af673562c9b
SHA256 61bd5fa42e4b8fb63c1c2a2bf2e00323adf70b85167f50766d88e27611a2e72f
SHA512 f75402ca59adb5eebecb977caf4683a8f9464c6b4f7dee71fec8324aa9b29260d770d890d2f327c00c8bbabed207620dac27e1ab846e0654f05c4daaccf8efdb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe

MD5 6982ccceca9266f7b63f70f7a13b3fc5
SHA1 f9394d1a246f34da5f52e911521253a60c4a078d
SHA256 7dec5ff2027f19f2911d2dd4f03f401b27c5ecdc589d4a9960a0822397dc8112
SHA512 7088b7b4547e9624b43826c98a50e1cb4f04c5fff1d533e1514859901843f04e4ad01adfc6899f496ba37e119ef2732c6d930bf798cb61d4f11006bbe0ac7d65

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe

MD5 6982ccceca9266f7b63f70f7a13b3fc5
SHA1 f9394d1a246f34da5f52e911521253a60c4a078d
SHA256 7dec5ff2027f19f2911d2dd4f03f401b27c5ecdc589d4a9960a0822397dc8112
SHA512 7088b7b4547e9624b43826c98a50e1cb4f04c5fff1d533e1514859901843f04e4ad01adfc6899f496ba37e119ef2732c6d930bf798cb61d4f11006bbe0ac7d65

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe

MD5 49bbc50ba37a6caa1e43c1a7adc5fadd
SHA1 1344f3f5ef9bf1207919fcea3d7a3f34b5333a6e
SHA256 f14d457eef814320f2089d372cf8f875529ecbc181bff1aa1bd02cebfdc33f4c
SHA512 f134e0fe5a73778f1582eb74a032eea8c47a70ff082e882fff1128146f02b20712191875a0771703f77a0c60087aab6a9245874fcdbcbfeb7bfbd7fe674d19ea

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe

MD5 49bbc50ba37a6caa1e43c1a7adc5fadd
SHA1 1344f3f5ef9bf1207919fcea3d7a3f34b5333a6e
SHA256 f14d457eef814320f2089d372cf8f875529ecbc181bff1aa1bd02cebfdc33f4c
SHA512 f134e0fe5a73778f1582eb74a032eea8c47a70ff082e882fff1128146f02b20712191875a0771703f77a0c60087aab6a9245874fcdbcbfeb7bfbd7fe674d19ea

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe

MD5 364851eef6f358ff353473e78268a458
SHA1 1e796cdbf6ce440802423fe6f373df302e622a9a
SHA256 b27097d42122248046b41a8235e867f13675f0b38cd89303033b11a4c0f19add
SHA512 f1afea628dae913b6587f6842da17790b543c1c3c45a584843ff6e739eec3b0a4f9a873bb4b34fd84b1c57265239d5167395b17669372f90ef620c3a9be034f4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe

MD5 364851eef6f358ff353473e78268a458
SHA1 1e796cdbf6ce440802423fe6f373df302e622a9a
SHA256 b27097d42122248046b41a8235e867f13675f0b38cd89303033b11a4c0f19add
SHA512 f1afea628dae913b6587f6842da17790b543c1c3c45a584843ff6e739eec3b0a4f9a873bb4b34fd84b1c57265239d5167395b17669372f90ef620c3a9be034f4

memory/4064-25-0x0000000073160000-0x000000007384E000-memory.dmp

memory/4064-24-0x0000000000AF0000-0x0000000000B20000-memory.dmp

memory/4064-26-0x0000000002C80000-0x0000000002C86000-memory.dmp

memory/4064-27-0x000000000AEC0000-0x000000000B4C6000-memory.dmp

memory/4064-28-0x000000000AA40000-0x000000000AB4A000-memory.dmp

memory/4064-29-0x000000000A970000-0x000000000A982000-memory.dmp

memory/4064-30-0x000000000A9D0000-0x000000000AA0E000-memory.dmp

memory/4064-31-0x000000000AB50000-0x000000000AB9B000-memory.dmp

memory/4064-32-0x0000000073160000-0x000000007384E000-memory.dmp