Malware Analysis Report

2025-03-15 01:44

Sample ID 230910-lm3m5sga7z
Target 1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce
SHA256 1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce

Threat Level: Known bad

The file 1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 09:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 09:39

Reported

2023-09-10 09:42

Platform

win10-20230831-en

Max time kernel

130s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4688 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe
PID 4688 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe
PID 4688 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe
PID 388 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe
PID 388 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe
PID 388 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe
PID 4960 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe
PID 4960 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe
PID 4960 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe
PID 4960 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe
PID 4960 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe
PID 4960 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe

"C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe

MD5 7d167f11001e81ae9de536d660be67c5
SHA1 f28c61d979e3178d7d3ddf6378bb2ccf7062d95f
SHA256 e1d6e976808c8081f81d00daad0409756605111ffc9e41e67f58f98a6565b6fa
SHA512 2e39a7a9193fd772db2d4d7860e7c5ba7e448f00f9ddff8a82672e4f6bde9a632ca0da4e996827e4c167dc1f1b38e48a6341fd1bc55e719b39629a510dce395f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe

MD5 7d167f11001e81ae9de536d660be67c5
SHA1 f28c61d979e3178d7d3ddf6378bb2ccf7062d95f
SHA256 e1d6e976808c8081f81d00daad0409756605111ffc9e41e67f58f98a6565b6fa
SHA512 2e39a7a9193fd772db2d4d7860e7c5ba7e448f00f9ddff8a82672e4f6bde9a632ca0da4e996827e4c167dc1f1b38e48a6341fd1bc55e719b39629a510dce395f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe

MD5 69cd62dd1807a3f3ed07f3828ee0a149
SHA1 5e1f177ce86d6da85975bb009de1bd5f3f98ec93
SHA256 5e69862b29c7fe4ce5498185f281c3bdbe55a1fc882bc2089fd020c48fa17b35
SHA512 6c44f5a290e7a25b0db758e9232accb8ae6ac67b1ed6bd0fffaad3c4b670418c4cae4dc41527c7bd34a2ea252341e1ea4eaeedcc36057d33bce2ae16787b323f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe

MD5 69cd62dd1807a3f3ed07f3828ee0a149
SHA1 5e1f177ce86d6da85975bb009de1bd5f3f98ec93
SHA256 5e69862b29c7fe4ce5498185f281c3bdbe55a1fc882bc2089fd020c48fa17b35
SHA512 6c44f5a290e7a25b0db758e9232accb8ae6ac67b1ed6bd0fffaad3c4b670418c4cae4dc41527c7bd34a2ea252341e1ea4eaeedcc36057d33bce2ae16787b323f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe

MD5 b9c72a6902c1b14f2e054497232b5e14
SHA1 39291f76b1a94185d76c160980dffb1f9fbf41d3
SHA256 0118ef88749345f4ada8bb2281f71b0601117b952cc9d67666a3d5c02f486ccf
SHA512 521e05913bf9b0f1bae38b1d32746efe22bcb5ca821d4c4e11962f80bf04f27461881f201a4382156480c3c739cbba9389e7ad2ff4d782bfd7c552e97549d2da

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe

MD5 b9c72a6902c1b14f2e054497232b5e14
SHA1 39291f76b1a94185d76c160980dffb1f9fbf41d3
SHA256 0118ef88749345f4ada8bb2281f71b0601117b952cc9d67666a3d5c02f486ccf
SHA512 521e05913bf9b0f1bae38b1d32746efe22bcb5ca821d4c4e11962f80bf04f27461881f201a4382156480c3c739cbba9389e7ad2ff4d782bfd7c552e97549d2da

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe

MD5 1b276d9e94d340bed48c1a253a60796c
SHA1 b7c3c4cefe1529536b455eeee0e2b88057f5a34a
SHA256 6322738bdf57adddd1d5afe6cd9c4a1f39a23df63707375de59a51360f869e82
SHA512 c8c5136525861a94da38a3a7792b9a86e22daaf829066e3e666859d610d073352e9c1ac6f217a349f4b9adb42587c7cd5f2e48d6e489b5b5e5a089ff8666bd80

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe

MD5 1b276d9e94d340bed48c1a253a60796c
SHA1 b7c3c4cefe1529536b455eeee0e2b88057f5a34a
SHA256 6322738bdf57adddd1d5afe6cd9c4a1f39a23df63707375de59a51360f869e82
SHA512 c8c5136525861a94da38a3a7792b9a86e22daaf829066e3e666859d610d073352e9c1ac6f217a349f4b9adb42587c7cd5f2e48d6e489b5b5e5a089ff8666bd80

memory/1852-24-0x0000000000ED0000-0x0000000000F00000-memory.dmp

memory/1852-25-0x0000000072B90000-0x000000007327E000-memory.dmp

memory/1852-26-0x0000000001780000-0x0000000001786000-memory.dmp

memory/1852-27-0x000000000B2F0000-0x000000000B8F6000-memory.dmp

memory/1852-28-0x000000000ADF0000-0x000000000AEFA000-memory.dmp

memory/1852-29-0x0000000003330000-0x0000000003342000-memory.dmp

memory/1852-30-0x0000000005910000-0x000000000594E000-memory.dmp

memory/1852-31-0x000000000ACE0000-0x000000000AD2B000-memory.dmp

memory/1852-32-0x0000000072B90000-0x000000007327E000-memory.dmp