Malware Analysis Report

2025-03-15 01:40

Sample ID 230910-q1d9xshd98
Target c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0
SHA256 c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0

Threat Level: Known bad

The file c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 13:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 13:43

Reported

2023-09-10 13:46

Platform

win10-20230831-en

Max time kernel

134s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe
PID 3532 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe
PID 3532 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe
PID 3548 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe
PID 3548 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe
PID 3548 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe
PID 1212 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe
PID 1212 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe
PID 1212 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe
PID 1212 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe
PID 1212 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe
PID 1212 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0.exe

"C:\Users\Admin\AppData\Local\Temp\c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe

MD5 d4edb5567c7ca11501bef02f208e6161
SHA1 6ffeab2d5cdc191f508ade66eab65ee27c4a2bb7
SHA256 1d490fef50d85fb899954a648a07682df791344020df9adb4f3351e4c0bd1c29
SHA512 4ad0e777cc03f22bc20c374be6e5b27a9fee2dcc9a0900d7ec309029f3c4056d28feac0a76fdef932de8a836aafcc9a82228f1c70eb7a20f0e232a62a94ed453

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe

MD5 d4edb5567c7ca11501bef02f208e6161
SHA1 6ffeab2d5cdc191f508ade66eab65ee27c4a2bb7
SHA256 1d490fef50d85fb899954a648a07682df791344020df9adb4f3351e4c0bd1c29
SHA512 4ad0e777cc03f22bc20c374be6e5b27a9fee2dcc9a0900d7ec309029f3c4056d28feac0a76fdef932de8a836aafcc9a82228f1c70eb7a20f0e232a62a94ed453

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe

MD5 c8d87e7d399e769ed8aeecd61a0bffde
SHA1 dfd0939da42f497bf5dff7859673bc0331d9d06a
SHA256 46b841b5c1ee4eca590937520cce7fced11286f30cb5c61b22f9474fb23cc9e1
SHA512 7b985f8007bc4ca621e29b67e2d44f91743d99b32ad0d8979da3f9fbbccc4e2854b92c3499b1e83628ee7853a8d045b6d032c8dcaebdfc1af25a635e7d88f5af

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe

MD5 c8d87e7d399e769ed8aeecd61a0bffde
SHA1 dfd0939da42f497bf5dff7859673bc0331d9d06a
SHA256 46b841b5c1ee4eca590937520cce7fced11286f30cb5c61b22f9474fb23cc9e1
SHA512 7b985f8007bc4ca621e29b67e2d44f91743d99b32ad0d8979da3f9fbbccc4e2854b92c3499b1e83628ee7853a8d045b6d032c8dcaebdfc1af25a635e7d88f5af

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe

MD5 73382f6db421cfc92314b76617a0a63b
SHA1 16a64c163711112fbcbcc416d225e80949aafeb5
SHA256 a593c86f46caa9bba9f3907d8fd4504b41a2e48ae65c690b3a553f52dedb57e5
SHA512 2e326c9f9a203e6ac6a76c7fc32b2fb41fe73fa0f13108b8ba34406b4208486240c3e5632031bfab445bcb76d0f420fd2b8e30f16c950ba863b3f9e9e9ff4e93

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe

MD5 73382f6db421cfc92314b76617a0a63b
SHA1 16a64c163711112fbcbcc416d225e80949aafeb5
SHA256 a593c86f46caa9bba9f3907d8fd4504b41a2e48ae65c690b3a553f52dedb57e5
SHA512 2e326c9f9a203e6ac6a76c7fc32b2fb41fe73fa0f13108b8ba34406b4208486240c3e5632031bfab445bcb76d0f420fd2b8e30f16c950ba863b3f9e9e9ff4e93

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe

MD5 374978733248502d9b975a43a2c7b8eb
SHA1 252cd7c091e01f74f09c6fd1369f4c8b03bbb4f5
SHA256 75749bf00c3a86930409f7a9b082f941137c80bb6a58a0d616493ac033d423a5
SHA512 ed5395a71cd30d00be4396ff1335b8b66b63a86b259d89227ac17ed9cc31c510204c2b8cbe026d1f5faff736f00e5789691d0e87b161e27caa697c9a49902a77

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe

MD5 374978733248502d9b975a43a2c7b8eb
SHA1 252cd7c091e01f74f09c6fd1369f4c8b03bbb4f5
SHA256 75749bf00c3a86930409f7a9b082f941137c80bb6a58a0d616493ac033d423a5
SHA512 ed5395a71cd30d00be4396ff1335b8b66b63a86b259d89227ac17ed9cc31c510204c2b8cbe026d1f5faff736f00e5789691d0e87b161e27caa697c9a49902a77

memory/4160-24-0x0000000000AE0000-0x0000000000B10000-memory.dmp

memory/4160-25-0x0000000072F20000-0x000000007360E000-memory.dmp

memory/4160-26-0x0000000002CC0000-0x0000000002CC6000-memory.dmp

memory/4160-27-0x000000000AF50000-0x000000000B556000-memory.dmp

memory/4160-28-0x000000000AA50000-0x000000000AB5A000-memory.dmp

memory/4160-29-0x000000000A960000-0x000000000A972000-memory.dmp

memory/4160-30-0x000000000A9C0000-0x000000000A9FE000-memory.dmp

memory/4160-31-0x000000000AA00000-0x000000000AA4B000-memory.dmp

memory/4160-32-0x0000000072F20000-0x000000007360E000-memory.dmp