Malware Analysis Report

2025-03-15 01:38

Sample ID 230910-qyqj6shd82
Target 0x00080000000146e3-30.dat
SHA256 5fb7ac419931189b181a54705418ac2329ba195e4b2f20ef1085650cfe858064
Tags
virad redline infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5fb7ac419931189b181a54705418ac2329ba195e4b2f20ef1085650cfe858064

Threat Level: Known bad

The file 0x00080000000146e3-30.dat was found to be: Known bad.

Malicious Activity Summary

virad redline infostealer

Redline family

RedLine

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 13:40

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 13:40

Reported

2023-09-10 13:43

Platform

win7-20230831-en

Max time kernel

133s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00080000000146e3-30.exe"

Signatures

RedLine

infostealer redline

Processes

C:\Users\Admin\AppData\Local\Temp\0x00080000000146e3-30.exe

"C:\Users\Admin\AppData\Local\Temp\0x00080000000146e3-30.exe"

Network

Country Destination Domain Proto
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

memory/2292-0-0x0000000000EF0000-0x0000000000F20000-memory.dmp

memory/2292-1-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2292-2-0x0000000000490000-0x0000000000496000-memory.dmp

memory/2292-3-0x00000000049B0000-0x00000000049F0000-memory.dmp

memory/2292-4-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2292-5-0x00000000049B0000-0x00000000049F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 13:40

Reported

2023-09-10 13:43

Platform

win10v2004-20230831-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00080000000146e3-30.exe"

Signatures

RedLine

infostealer redline

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C6B5AAA5-F3AC-47CF-BFF1-D4482E5AC2EB}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x00080000000146e3-30.exe

"C:\Users\Admin\AppData\Local\Temp\0x00080000000146e3-30.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 120.145.253.8.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/1972-0-0x0000000000980000-0x00000000009B0000-memory.dmp

memory/1972-1-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/1972-2-0x0000000005A00000-0x0000000006018000-memory.dmp

memory/1972-3-0x00000000054F0000-0x00000000055FA000-memory.dmp

memory/1972-4-0x0000000005400000-0x0000000005412000-memory.dmp

memory/1972-5-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/1972-6-0x0000000005460000-0x000000000549C000-memory.dmp

memory/1972-8-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/1972-9-0x00000000053D0000-0x00000000053E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wsu9DA7.tmp

MD5 c01eaa0bdcd7c30a42bbb35a9acbf574
SHA1 0aee3e1b873e41d040f1991819d0027b6cc68f54
SHA256 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512 d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 f38c6b0787f563f037623fee989250c9
SHA1 fd7d80b95ea635f848648f0aaff0226e2c274be7
SHA256 540dc9d05835839ff7a11850fea9675abbdbd6946aece64496f1a51d26827e18
SHA512 73069ab7be902e888a6683b47d6bfb1a016a423f2802bed0b292093ccdb14ab4afdc2b513a652a738a6b385f3f134e8e024f5065356b58b7afc048d313781474

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 02a0327b77d00d67ea2a68d90542ee78
SHA1 d0bf040058a8083e62d277037a9d98176f6a3c18
SHA256 7f5f3ff5c6eb8f78deec763081274dc1ffbf39d892c42ca82c20f52c97f0806d
SHA512 053ae829b4d3889e84b935243167604cd1194b613a20d9ead1317dc5886b68ebc807389a8d8632fb3e56152d262521a75e62c7a0393d7794e7ef325cd4b5a763

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 6cb88e8bd4e827ea40f2e69d183cd2d9
SHA1 c9b4874e218e34b7dc4f4a636c65a836277dc563
SHA256 a9ec11d2738d1efe67094477fb88d705a5bc69a8674add246d6e8624ff71292f
SHA512 5edd0aa2cb7aa4eb041ba90b64741626a661724dbd8ba785fa4535fadbc4f94cef73fa16dd39893360e478ff4c5ea1e3d32615ba1505650473ef8e2a6f846c7a

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 118ddfff7f15fdd71e01cea81c9bdba8
SHA1 b0ec8f86aae59ab024a08f155b66fa0ec945ed91
SHA256 62c624f1ee94798886022a82a4aafda7aa91e0aaf10c76cb497f9ac5b040de18
SHA512 885946c92d847360d58899710d1931b0b96120273978136e71ff616e6e146703de501c78b99d72dab6ab5dd81e22bb008f89886e32b0e4346bb4dbf2d56c0a79

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 df9d9f3e048e47eb17265fdd991c9dca
SHA1 9e7132c2244189671e9c8a7871a0f54ed1bdb399
SHA256 a8be625c87edfa3ca4b5ad3c77fd380a08837360bcf80e151b5b73d6be089bc1
SHA512 758f3316ca377a74bf88bec4e704c56d1d4b12c3180a30e37d2df85fab13ef2b3d43e8d128331fae64ceb0cbe41d1d1d7524411914da798c2315cce3c7cc3289

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 53c21dbe04fe230bc2bec06b047d9f38
SHA1 d63f0872921c1bd50c4bf4c700262df206fc818e
SHA256 def41a5af7f474ba584b10c38d22bb8f41571419d4c91f70a6c1daf540357953
SHA512 58b651167c9eae8a59f56b46c206f3cc857b7d051ccfa48ab0e5851db8850fe0fe4fd569f488bde0d6e10404795983e56498b122acf3fb8663cb06348e6d8872

memory/2684-230-0x000001C8EE4A0000-0x000001C8EE4B0000-memory.dmp

memory/2684-246-0x000001C8EE5A0000-0x000001C8EE5B0000-memory.dmp

memory/2684-265-0x000001C8F6B90000-0x000001C8F6B91000-memory.dmp

memory/2684-266-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp

memory/2684-267-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp

memory/2684-268-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp

memory/2684-269-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp

memory/2684-270-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp

memory/2684-271-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp

memory/2684-272-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp

memory/2684-273-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp

memory/2684-274-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp

memory/2684-275-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 26798b50a016f3c1cbcb5f719b01cb37
SHA1 6f6d37a842859fa1a881c1096e7a53cffabc180b
SHA256 2588c87430945a36919901179858f10957f8be2a0e1690dd84703eddd89f8b19
SHA512 eda8e58aff0a5c4af9edf459aee4a86b99016e1ed4551f80085ec728bb1bf57d02550ed01e01f6da0e42ac86d961648f0245924692dc7adc54f5020a8d85dea2

memory/2684-282-0x000001C8F67E0000-0x000001C8F67E1000-memory.dmp

memory/2684-283-0x000001C8F67D0000-0x000001C8F67D1000-memory.dmp

memory/2684-285-0x000001C8F67E0000-0x000001C8F67E1000-memory.dmp

memory/2684-288-0x000001C8F67D0000-0x000001C8F67D1000-memory.dmp

memory/2684-291-0x000001C8F6710000-0x000001C8F6711000-memory.dmp

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

MD5 d72bb6f085e82b1cec519ecd62c4df33
SHA1 ccf1afcb3da2e044156af825376b0bfa6d269781
SHA256 f274d4b381b5b261a837156437d1a8055c19e6762e9d7f1387ac8a093d69b02b
SHA512 3eefb81599d8f616922167ca25b5522b3427a926a4f98905658e30d3e77ab8f121b48e213fbf9a6220416b9c2b3a2f28fc933f42c5f580c817b24bbf38a8d328

memory/2684-303-0x000001C8F6910000-0x000001C8F6911000-memory.dmp

memory/2684-305-0x000001C8F6920000-0x000001C8F6921000-memory.dmp

memory/2684-306-0x000001C8F6920000-0x000001C8F6921000-memory.dmp

memory/2684-307-0x000001C8F6A30000-0x000001C8F6A31000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 46d490b54ba7a815a1ca81e0aaaf472f
SHA1 5e4385521b59ad02a34efe2a8dac436b715ef36d
SHA256 04b54ff77e7ce82a149d1d4705ad946fc8925a6e1a0f01422dcda0816727f3a3
SHA512 1bf3438cb06c3813a43de8ea70b4cc87e75a949d74f4fc78be22f021a53667d4f196a080fd7ab45c1005b70320b7dbca69c8eb6f864cae1fdbafd0533abf4b9e