Malware Analysis Report

2025-03-15 01:42

Sample ID 230910-q4aqxahe49
Target 599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0
SHA256 599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0

Threat Level: Known bad

The file 599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 13:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 13:48

Reported

2023-09-10 13:51

Platform

win10-20230703-en

Max time kernel

135s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe
PID 2540 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe
PID 2540 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe
PID 2392 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe
PID 2392 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe
PID 2392 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe
PID 4992 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe
PID 4992 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe
PID 4992 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe
PID 4992 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe
PID 4992 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe
PID 4992 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe

Processes

C:\Users\Admin\AppData\Local\Temp\599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0.exe

"C:\Users\Admin\AppData\Local\Temp\599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe

MD5 ee86e032eac963b5d9b14ae097578e12
SHA1 8b9b6c96e8f2c6c8c1617d3aea36e32b01e0876e
SHA256 180ef58e71699f56fca06f9f78371e56823eb7024e8e2893d223e22e73fceafe
SHA512 60740b21da274316165171cffb1325dfe8e20bf43e169f2d3c9448aacd79bf4e2ae9544d3f94bcc9417f9115f9d97830509268c0c6386d5f396f70eb9589c4b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe

MD5 ee86e032eac963b5d9b14ae097578e12
SHA1 8b9b6c96e8f2c6c8c1617d3aea36e32b01e0876e
SHA256 180ef58e71699f56fca06f9f78371e56823eb7024e8e2893d223e22e73fceafe
SHA512 60740b21da274316165171cffb1325dfe8e20bf43e169f2d3c9448aacd79bf4e2ae9544d3f94bcc9417f9115f9d97830509268c0c6386d5f396f70eb9589c4b5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe

MD5 945736f8439d4edf45268e0aa9700829
SHA1 399835cd8ca19b58cabdd56fc9ff4d35b49ab90e
SHA256 47ffa98fa556ec4190dfb278ca09b7443412f86bd5b541344c4188edc860a16f
SHA512 69a85a55d5534429706ae6cc0c7db550629e812a0be7feeb8d88084b347600fc2f223b335bc735ebf8027f271112130ae446237f9f63bd4f3fe73de2ec9eda52

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe

MD5 945736f8439d4edf45268e0aa9700829
SHA1 399835cd8ca19b58cabdd56fc9ff4d35b49ab90e
SHA256 47ffa98fa556ec4190dfb278ca09b7443412f86bd5b541344c4188edc860a16f
SHA512 69a85a55d5534429706ae6cc0c7db550629e812a0be7feeb8d88084b347600fc2f223b335bc735ebf8027f271112130ae446237f9f63bd4f3fe73de2ec9eda52

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe

MD5 8ad4f8b9d6e6f0e6629f16a7302cd42f
SHA1 f6663351e2b97b704757365cf5f7ab212f6ca290
SHA256 eb303f1d5469de2ffb5dc6ea23e59675f14c431122889ba180d09b3b7f05ac78
SHA512 8dc9878e68854c2b5ce6e35768f2615e154f4831472af6327a088e87884b4c995fd297e86373f3f8c6299b74e69cea4b42bdf8e338fe3f0e0c84890e114c6729

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe

MD5 8ad4f8b9d6e6f0e6629f16a7302cd42f
SHA1 f6663351e2b97b704757365cf5f7ab212f6ca290
SHA256 eb303f1d5469de2ffb5dc6ea23e59675f14c431122889ba180d09b3b7f05ac78
SHA512 8dc9878e68854c2b5ce6e35768f2615e154f4831472af6327a088e87884b4c995fd297e86373f3f8c6299b74e69cea4b42bdf8e338fe3f0e0c84890e114c6729

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe

MD5 23107bd07a2bdfd3cc9b9626767ba9ee
SHA1 d66c91701c8ad9773e077a8e3ca9d33c08274acc
SHA256 c7b2b897172ed3cbd3b4cd24e7c880bb6bbd363098c63eaba7774daa8f7fedc4
SHA512 385cbf99821092068fbc3bfbe950f9d6e8e4a378635c4ed11f7ded4f22f756f8119448001a684b5cfba689eb59e730ac36a44f8b09dcc4abf9d96786db07471b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe

MD5 23107bd07a2bdfd3cc9b9626767ba9ee
SHA1 d66c91701c8ad9773e077a8e3ca9d33c08274acc
SHA256 c7b2b897172ed3cbd3b4cd24e7c880bb6bbd363098c63eaba7774daa8f7fedc4
SHA512 385cbf99821092068fbc3bfbe950f9d6e8e4a378635c4ed11f7ded4f22f756f8119448001a684b5cfba689eb59e730ac36a44f8b09dcc4abf9d96786db07471b

memory/4500-24-0x0000000000D40000-0x0000000000D70000-memory.dmp

memory/4500-25-0x00000000736C0000-0x0000000073DAE000-memory.dmp

memory/4500-26-0x0000000002E90000-0x0000000002E96000-memory.dmp

memory/4500-27-0x000000000B040000-0x000000000B646000-memory.dmp

memory/4500-28-0x000000000AB50000-0x000000000AC5A000-memory.dmp

memory/4500-29-0x000000000AA80000-0x000000000AA92000-memory.dmp

memory/4500-30-0x000000000AAE0000-0x000000000AB1E000-memory.dmp

memory/4500-31-0x000000000AC60000-0x000000000ACAB000-memory.dmp

memory/4500-32-0x00000000736C0000-0x0000000073DAE000-memory.dmp