Malware Analysis Report

2025-03-15 01:39

Sample ID 230910-mbt3asgc5w
Target 4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8
SHA256 4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8

Threat Level: Known bad

The file 4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 10:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 10:17

Reported

2023-09-10 10:20

Platform

win10-20230831-en

Max time kernel

135s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe
PID 3392 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe
PID 3392 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe
PID 4508 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe
PID 4508 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe
PID 4508 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe
PID 2228 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe
PID 2228 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe
PID 2228 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe
PID 2228 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe
PID 2228 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe
PID 2228 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8.exe

"C:\Users\Admin\AppData\Local\Temp\4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe

MD5 df99d3d338437ad7948606c0e866dfd8
SHA1 5f3d0599288dd9425297304d739dab0c0572aea5
SHA256 53636e36a4636954d5b83deb92e080d2d837136e9f9765c8b96b93196efb9197
SHA512 263075eb35667b2fc386012cb951ccda631e8f560a4f351ba411785ec1dcc4edca057000b0aed710cacca12cd7bd498ea57ff24ce859d417ea16e30360c3115f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe

MD5 df99d3d338437ad7948606c0e866dfd8
SHA1 5f3d0599288dd9425297304d739dab0c0572aea5
SHA256 53636e36a4636954d5b83deb92e080d2d837136e9f9765c8b96b93196efb9197
SHA512 263075eb35667b2fc386012cb951ccda631e8f560a4f351ba411785ec1dcc4edca057000b0aed710cacca12cd7bd498ea57ff24ce859d417ea16e30360c3115f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe

MD5 b1123e0eea43083d04ca4985357d087e
SHA1 3f09af2da2146f2b26ef7d72de00b27ac489a991
SHA256 58ff35935ca6618a9e8c8b5a746698b4f6d241ab7ce6143dd49699cb0317c5a0
SHA512 307f153c52dcd3efa8a2378c47df2ac20db90e7db10e4b2c3850efb12f2954d11e864fbcd1a5dfc4b200a0b05d5a939735eab52280123d6b6bc3a539d9ee2e89

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe

MD5 b1123e0eea43083d04ca4985357d087e
SHA1 3f09af2da2146f2b26ef7d72de00b27ac489a991
SHA256 58ff35935ca6618a9e8c8b5a746698b4f6d241ab7ce6143dd49699cb0317c5a0
SHA512 307f153c52dcd3efa8a2378c47df2ac20db90e7db10e4b2c3850efb12f2954d11e864fbcd1a5dfc4b200a0b05d5a939735eab52280123d6b6bc3a539d9ee2e89

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe

MD5 9d7454d23fcb98608bb27546984f7bf2
SHA1 1df6780b2446db970fca203726f792cde1fb36fd
SHA256 3412205817988b9c1e4e8f74f108e6dda6c84681f28e0d6637934f423c07c672
SHA512 347a0b9d3ad549e88283953f2db80d4d9dfd62e9251d0de40d6f46b7e89d17b35fa1ec0fe8cbe4ca03ec2ddb9214f25ebe4ea921aa3d705d9a80e8cf361dac56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe

MD5 9d7454d23fcb98608bb27546984f7bf2
SHA1 1df6780b2446db970fca203726f792cde1fb36fd
SHA256 3412205817988b9c1e4e8f74f108e6dda6c84681f28e0d6637934f423c07c672
SHA512 347a0b9d3ad549e88283953f2db80d4d9dfd62e9251d0de40d6f46b7e89d17b35fa1ec0fe8cbe4ca03ec2ddb9214f25ebe4ea921aa3d705d9a80e8cf361dac56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe

MD5 3d9f3caf3864e2d1236a6de74c9f8b9e
SHA1 f27ddf34425c878e7c7067a77178af01490170ef
SHA256 64b7e6e77af4a8ff51fd76b77d124628c314d6b72aedbec3c19990f0fc4ea9f6
SHA512 33c4eeaa20330d835b5ecceba2ccdfb72527f24af0acffd65f402985bdc5402199fe8a50a4c1edb881ece4121470a06ff1a9f68308be0e8496275ff34b3cf6af

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe

MD5 3d9f3caf3864e2d1236a6de74c9f8b9e
SHA1 f27ddf34425c878e7c7067a77178af01490170ef
SHA256 64b7e6e77af4a8ff51fd76b77d124628c314d6b72aedbec3c19990f0fc4ea9f6
SHA512 33c4eeaa20330d835b5ecceba2ccdfb72527f24af0acffd65f402985bdc5402199fe8a50a4c1edb881ece4121470a06ff1a9f68308be0e8496275ff34b3cf6af

memory/5044-24-0x00000000000B0000-0x00000000000E0000-memory.dmp

memory/5044-25-0x0000000073170000-0x000000007385E000-memory.dmp

memory/5044-26-0x0000000000850000-0x0000000000856000-memory.dmp

memory/5044-27-0x0000000005010000-0x0000000005616000-memory.dmp

memory/5044-28-0x0000000004B10000-0x0000000004C1A000-memory.dmp

memory/5044-29-0x0000000004480000-0x0000000004492000-memory.dmp

memory/5044-30-0x0000000004A40000-0x0000000004A7E000-memory.dmp

memory/5044-31-0x0000000004A80000-0x0000000004ACB000-memory.dmp

memory/5044-32-0x0000000073170000-0x000000007385E000-memory.dmp