Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-q923cahe84
Target d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2
SHA256 d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2

Threat Level: Known bad

The file d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 13:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 13:58

Reported

2023-09-10 14:01

Platform

win10-20230831-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe
PID 2752 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe
PID 2752 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe
PID 3796 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe
PID 3796 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe
PID 3796 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe
PID 4604 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe
PID 4604 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe
PID 4604 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe
PID 4604 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe
PID 4604 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe
PID 4604 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2.exe

"C:\Users\Admin\AppData\Local\Temp\d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe

MD5 a6747c0584424e180a8f4fc7121e1d34
SHA1 c1293449148cb974acda562528648d55d5c4a54f
SHA256 2e39be3582d691a7f6e6d078cf056886c426e5b54e2bf3d3c043f87ff2fbf7dc
SHA512 851345046d55c626fbb478cae89d8920a2a33ec3ac6b71afa25989c3020bb78e3fb49b70dbd909132216e108dd302a20ec8bbe08ddb13e123f0a003645dea455

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe

MD5 a6747c0584424e180a8f4fc7121e1d34
SHA1 c1293449148cb974acda562528648d55d5c4a54f
SHA256 2e39be3582d691a7f6e6d078cf056886c426e5b54e2bf3d3c043f87ff2fbf7dc
SHA512 851345046d55c626fbb478cae89d8920a2a33ec3ac6b71afa25989c3020bb78e3fb49b70dbd909132216e108dd302a20ec8bbe08ddb13e123f0a003645dea455

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe

MD5 431f3f95510930e963f99cd0d01f0a41
SHA1 4b9a18c98064ed6f821936800fdbd14b59ac0832
SHA256 8b6972994f255a37a524978b560ba2f8d2f5c0a36d4184639db630ba3e5fb7bc
SHA512 29263e4cf7efdc69fedfce72762477f436ea509a5b4a8cb16bf3a7b174e284d0c5a7e3c6a65211859779ad8d49749546da7cf718285b262ffa08cf57ee24c404

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe

MD5 431f3f95510930e963f99cd0d01f0a41
SHA1 4b9a18c98064ed6f821936800fdbd14b59ac0832
SHA256 8b6972994f255a37a524978b560ba2f8d2f5c0a36d4184639db630ba3e5fb7bc
SHA512 29263e4cf7efdc69fedfce72762477f436ea509a5b4a8cb16bf3a7b174e284d0c5a7e3c6a65211859779ad8d49749546da7cf718285b262ffa08cf57ee24c404

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe

MD5 4a85fb56733eecb5ddd8e0eb1ed5fc10
SHA1 a00fca2f656406f762bf77850dcbaab1ec68bf77
SHA256 c8dab383d0b337999d9ee3c3ff15efc1147f44d49215fba683c0a093328a8402
SHA512 babb63fbbc046a607c5881176fcd95b47bce641fc61489861587ca3618c682a24ecc28aa890b46e80527c1033c9d423cc835ee74c9cd25ad78fe419247d58938

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe

MD5 4a85fb56733eecb5ddd8e0eb1ed5fc10
SHA1 a00fca2f656406f762bf77850dcbaab1ec68bf77
SHA256 c8dab383d0b337999d9ee3c3ff15efc1147f44d49215fba683c0a093328a8402
SHA512 babb63fbbc046a607c5881176fcd95b47bce641fc61489861587ca3618c682a24ecc28aa890b46e80527c1033c9d423cc835ee74c9cd25ad78fe419247d58938

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe

MD5 fbedbb8621976cc74f389ce738151acb
SHA1 c15d1b8b555b025d68abbfe1cc50e6776aacd408
SHA256 8336fdabb3a60a81d3025e92809d9e119ebe8d7e19a3427bd1bf0aa5f0e4b39e
SHA512 31738f9f338119bee89e07ad972637bbb85037df8d4b38c4431c7a01f293a20bd8caf9fa96dd5c81b9da0e97d52281db8b7ce91dd3ceb1f0d3659ceba08d127f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe

MD5 fbedbb8621976cc74f389ce738151acb
SHA1 c15d1b8b555b025d68abbfe1cc50e6776aacd408
SHA256 8336fdabb3a60a81d3025e92809d9e119ebe8d7e19a3427bd1bf0aa5f0e4b39e
SHA512 31738f9f338119bee89e07ad972637bbb85037df8d4b38c4431c7a01f293a20bd8caf9fa96dd5c81b9da0e97d52281db8b7ce91dd3ceb1f0d3659ceba08d127f

memory/204-24-0x0000000000DD0000-0x0000000000E00000-memory.dmp

memory/204-25-0x0000000072EF0000-0x00000000735DE000-memory.dmp

memory/204-26-0x0000000005590000-0x0000000005596000-memory.dmp

memory/204-27-0x0000000005CF0000-0x00000000062F6000-memory.dmp

memory/204-28-0x00000000057F0000-0x00000000058FA000-memory.dmp

memory/204-29-0x0000000005700000-0x0000000005712000-memory.dmp

memory/204-30-0x0000000005760000-0x000000000579E000-memory.dmp

memory/204-31-0x00000000057A0000-0x00000000057EB000-memory.dmp

memory/204-32-0x0000000072EF0000-0x00000000735DE000-memory.dmp