Malware Analysis Report

2025-03-15 01:44

Sample ID 230910-qztm8ahe3s
Target 427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e
SHA256 427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e

Threat Level: Known bad

The file 427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 13:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 13:42

Reported

2023-09-10 13:45

Platform

win10v2004-20230831-en

Max time kernel

167s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe
PID 548 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe
PID 548 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe
PID 3984 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe
PID 3984 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe
PID 3984 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe
PID 2868 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe
PID 2868 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe
PID 2868 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe
PID 2868 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe
PID 2868 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe
PID 2868 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe

Processes

C:\Users\Admin\AppData\Local\Temp\427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e.exe

"C:\Users\Admin\AppData\Local\Temp\427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 99.134.101.95.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe

MD5 bf93ed68f3a7c89e16dd609658d1d60c
SHA1 5e07617caeebab3cbdc3f36d980777bc0971f8fb
SHA256 16650148258fd10c488557f20a637e9c4a9e5cef8798245c9fe53478c2fca54d
SHA512 bd73d5126797c0038ef430f249766c9b479f19393271bbde35f2679da6971bec7b1eaeeb8875968cf2d0e3b334a44d2f00a3263cdd60e59a1a54fa4ce9cd8df1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe

MD5 bf93ed68f3a7c89e16dd609658d1d60c
SHA1 5e07617caeebab3cbdc3f36d980777bc0971f8fb
SHA256 16650148258fd10c488557f20a637e9c4a9e5cef8798245c9fe53478c2fca54d
SHA512 bd73d5126797c0038ef430f249766c9b479f19393271bbde35f2679da6971bec7b1eaeeb8875968cf2d0e3b334a44d2f00a3263cdd60e59a1a54fa4ce9cd8df1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe

MD5 c912838867ab8540ebe1934d1e237f16
SHA1 ebfe2eac811a4073ebf1a98d7add4711dd8f6310
SHA256 97f9632b8308485734682550e03b4ae7f3aa7daba4444c9c5e8a892a8066875c
SHA512 ff31e811729d156a229405cfc4a18a89bdd9f4257fff69e01cb239ef9564a518d299277f1094375f7c160f9579ed19993188ef2fe94cfe7058ec8eb49fd40a19

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe

MD5 c912838867ab8540ebe1934d1e237f16
SHA1 ebfe2eac811a4073ebf1a98d7add4711dd8f6310
SHA256 97f9632b8308485734682550e03b4ae7f3aa7daba4444c9c5e8a892a8066875c
SHA512 ff31e811729d156a229405cfc4a18a89bdd9f4257fff69e01cb239ef9564a518d299277f1094375f7c160f9579ed19993188ef2fe94cfe7058ec8eb49fd40a19

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe

MD5 bcb90b1506a33d1c0f75c1f6b5e15e00
SHA1 15745a8edb7e5d22f3d354c940c86c2ef169e114
SHA256 bfe5711d5b0bea2404032920a505dc1321913304eebd7a003c7eda7abd7676e1
SHA512 0dd59b93066e7f0c0a05b5a682b973356f454548fb3564c99b1b5801af86bc168b9cfea1aae443bfa7cd76d2993ecda220d84f86744629607213feb209b23667

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe

MD5 bcb90b1506a33d1c0f75c1f6b5e15e00
SHA1 15745a8edb7e5d22f3d354c940c86c2ef169e114
SHA256 bfe5711d5b0bea2404032920a505dc1321913304eebd7a003c7eda7abd7676e1
SHA512 0dd59b93066e7f0c0a05b5a682b973356f454548fb3564c99b1b5801af86bc168b9cfea1aae443bfa7cd76d2993ecda220d84f86744629607213feb209b23667

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe

MD5 d06a765b4a839850bfe55b445d289f9d
SHA1 16ffae344ea228a9d4376b09701cd755266a2f7c
SHA256 b72eb51508205296db36d84afd5eba001a64faf1500e06a05e4cce0ae1bcb9c3
SHA512 cb33361a000977a9fc6053c52782bc69ac50f3d3699ccdda235acd6321d6dd35f60f30670ea0e5982c3d8a4b2be038a3ce16d28db9b61036de527b20f326baf4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe

MD5 d06a765b4a839850bfe55b445d289f9d
SHA1 16ffae344ea228a9d4376b09701cd755266a2f7c
SHA256 b72eb51508205296db36d84afd5eba001a64faf1500e06a05e4cce0ae1bcb9c3
SHA512 cb33361a000977a9fc6053c52782bc69ac50f3d3699ccdda235acd6321d6dd35f60f30670ea0e5982c3d8a4b2be038a3ce16d28db9b61036de527b20f326baf4

memory/2340-24-0x0000000000820000-0x0000000000850000-memory.dmp

memory/2340-25-0x00000000741D0000-0x0000000074980000-memory.dmp

memory/2340-26-0x00000000058E0000-0x0000000005EF8000-memory.dmp

memory/2340-27-0x00000000053D0000-0x00000000054DA000-memory.dmp

memory/2340-29-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/2340-28-0x00000000052F0000-0x0000000005302000-memory.dmp

memory/2340-30-0x0000000005350000-0x000000000538C000-memory.dmp

memory/2340-31-0x00000000741D0000-0x0000000074980000-memory.dmp

memory/2340-32-0x00000000052B0000-0x00000000052C0000-memory.dmp