Malware Analysis Report

2025-03-15 01:44

Sample ID 230910-ld45lsga4z
Target 509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220
SHA256 509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220

Threat Level: Known bad

The file 509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 09:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 09:25

Reported

2023-09-10 09:28

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3684 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe
PID 3684 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe
PID 3684 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe
PID 4508 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe
PID 4508 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe
PID 4508 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe
PID 3136 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe
PID 3136 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe
PID 3136 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe
PID 3136 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe
PID 3136 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe
PID 3136 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe

Processes

C:\Users\Admin\AppData\Local\Temp\509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220.exe

"C:\Users\Admin\AppData\Local\Temp\509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
RU 5.42.92.211:80 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 121.145.253.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe

MD5 e30795c062c537707cb4c04beaf4c5bd
SHA1 a8d37fc6e6eb05998de982d447f3e1a5df5c1b90
SHA256 c44580baad965f75fdf962bd5d2e78682f0486afc933a66cde5b79c645ea2e07
SHA512 9e2087b710f63000399e0a91e5dfa347318417dfc918d9dda2670c2cd708803e932a0dd89fabea7b1c7f9acb81d461e1e59293b8df1cfe7772a1eb27985da907

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe

MD5 e30795c062c537707cb4c04beaf4c5bd
SHA1 a8d37fc6e6eb05998de982d447f3e1a5df5c1b90
SHA256 c44580baad965f75fdf962bd5d2e78682f0486afc933a66cde5b79c645ea2e07
SHA512 9e2087b710f63000399e0a91e5dfa347318417dfc918d9dda2670c2cd708803e932a0dd89fabea7b1c7f9acb81d461e1e59293b8df1cfe7772a1eb27985da907

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe

MD5 42d558174f1caac68d2574320ea6d851
SHA1 4f342e03526705972c30c72d57d3075b7bbe7ce2
SHA256 4c60e82ac3c74316831092d74f3869bfaa631ba93a9b26308e3a11f4258512a2
SHA512 d5f866004413ff96cf4ae2bc0a2eefce6571040632c23c391c4b1b4c28ea88bf2a407d982d2bc817cf72a61a8f7cfe17cb05b112ab6bef979e533da73c15db8b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe

MD5 42d558174f1caac68d2574320ea6d851
SHA1 4f342e03526705972c30c72d57d3075b7bbe7ce2
SHA256 4c60e82ac3c74316831092d74f3869bfaa631ba93a9b26308e3a11f4258512a2
SHA512 d5f866004413ff96cf4ae2bc0a2eefce6571040632c23c391c4b1b4c28ea88bf2a407d982d2bc817cf72a61a8f7cfe17cb05b112ab6bef979e533da73c15db8b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe

MD5 7d51de3d3db7a185492221e85e07af4b
SHA1 a5331de5bd9a0d3c9f6650ae889e4cd3ab1a3677
SHA256 652ae64e8305edb9a3c9221ee05a11b0af3453cb0de44c447e608d0cf54c13ca
SHA512 1f13938997c68df1a43e383e1a1d5268ff37c9b6c70fb90738e0e1561c4a89dcf6403f44bc955ac9cc3aaabedeaddebcf1234458b266761bd99a77872dc340ca

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe

MD5 7d51de3d3db7a185492221e85e07af4b
SHA1 a5331de5bd9a0d3c9f6650ae889e4cd3ab1a3677
SHA256 652ae64e8305edb9a3c9221ee05a11b0af3453cb0de44c447e608d0cf54c13ca
SHA512 1f13938997c68df1a43e383e1a1d5268ff37c9b6c70fb90738e0e1561c4a89dcf6403f44bc955ac9cc3aaabedeaddebcf1234458b266761bd99a77872dc340ca

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe

MD5 4f9db2721bdc4dd5a29a5b807b3d660e
SHA1 4ba1705cf10b794725f66e9fa116d4a7e3ed49c6
SHA256 785ff05e10a1eb7fa1d61b79b01a6e10d26946b0d2c2d6dd3734504845d4e2f6
SHA512 ac5392647ce78c017901ac99079ee96014b792122524d598c55e95e6366249419f0f8a2d3e9dba0880b21317c368e6275f54534ea69f306c45feb6621923618b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe

MD5 4f9db2721bdc4dd5a29a5b807b3d660e
SHA1 4ba1705cf10b794725f66e9fa116d4a7e3ed49c6
SHA256 785ff05e10a1eb7fa1d61b79b01a6e10d26946b0d2c2d6dd3734504845d4e2f6
SHA512 ac5392647ce78c017901ac99079ee96014b792122524d598c55e95e6366249419f0f8a2d3e9dba0880b21317c368e6275f54534ea69f306c45feb6621923618b

memory/5072-24-0x0000000000B20000-0x0000000000B50000-memory.dmp

memory/5072-25-0x0000000073D00000-0x00000000744B0000-memory.dmp

memory/5072-26-0x0000000005C50000-0x0000000006268000-memory.dmp

memory/5072-27-0x0000000005740000-0x000000000584A000-memory.dmp

memory/5072-28-0x0000000005620000-0x0000000005630000-memory.dmp

memory/5072-29-0x00000000055E0000-0x00000000055F2000-memory.dmp

memory/5072-30-0x0000000005670000-0x00000000056AC000-memory.dmp

memory/5072-31-0x0000000073D00000-0x00000000744B0000-memory.dmp

memory/5072-32-0x0000000005620000-0x0000000005630000-memory.dmp