Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-r3wseshh6s
Target 384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356
SHA256 384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356

Threat Level: Known bad

The file 384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:43

Reported

2023-09-10 14:46

Platform

win10v2004-20230831-en

Max time kernel

136s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe
PID 232 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe
PID 232 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe
PID 4704 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe
PID 4704 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe
PID 4704 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe
PID 1356 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1325067.exe
PID 1356 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1325067.exe
PID 1356 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1325067.exe
PID 1356 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2793218.exe
PID 1356 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2793218.exe
PID 1356 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2793218.exe

Processes

C:\Users\Admin\AppData\Local\Temp\384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356.exe

"C:\Users\Admin\AppData\Local\Temp\384197f74be5c69714942fc71ac11f515e7156c8517923876db01ed4f627d356.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1325067.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1325067.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2793218.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2793218.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe

MD5 04fecda50ae10d88e68f4823e26c8aa7
SHA1 62c4227482f734dd8a39aba686590652a5f61118
SHA256 651ea2212bbec2b28b1e00075ab3870dd49970325b952de327fb994c66894677
SHA512 c5a6aeb1b9f3613cd2040f462e06b3d2c982cc1fca888b42fdd228f072c0e7cf4069b4c762c3f66df22f2ecc2932fb34d1c67a5660460fe9fd14637a627fb479

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3743705.exe

MD5 04fecda50ae10d88e68f4823e26c8aa7
SHA1 62c4227482f734dd8a39aba686590652a5f61118
SHA256 651ea2212bbec2b28b1e00075ab3870dd49970325b952de327fb994c66894677
SHA512 c5a6aeb1b9f3613cd2040f462e06b3d2c982cc1fca888b42fdd228f072c0e7cf4069b4c762c3f66df22f2ecc2932fb34d1c67a5660460fe9fd14637a627fb479

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe

MD5 d226e5e8b7cc4be2fa590ff2bbcdcdd9
SHA1 7d9abbf61c65e3301937f23b9120b4200d678e6f
SHA256 82ed40c8cd0f5abd89a4da8e8cd606f656339149d931bb3ee2ba856814c68976
SHA512 c89401c1dfa31d79bf630ec0c413b00ae51c96bbe6be578aae358eb906f3ff2be8aebb9debd56b7d6aa37ebf8a9feb6a432ec8655d1e1753eca232f8351b2906

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2110882.exe

MD5 d226e5e8b7cc4be2fa590ff2bbcdcdd9
SHA1 7d9abbf61c65e3301937f23b9120b4200d678e6f
SHA256 82ed40c8cd0f5abd89a4da8e8cd606f656339149d931bb3ee2ba856814c68976
SHA512 c89401c1dfa31d79bf630ec0c413b00ae51c96bbe6be578aae358eb906f3ff2be8aebb9debd56b7d6aa37ebf8a9feb6a432ec8655d1e1753eca232f8351b2906

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1325067.exe

MD5 b3f82ed9162951686116917cb289a6a9
SHA1 97dc239281da64bbac0820e7feef85fa9833e4d7
SHA256 45cb81d7fd1ced6ab880766de6f63cd8b9be20864535f9aec772290d68db929d
SHA512 b642b22e54e8d22b97c151d61b468e36f6794e86cd4e22700d5971f6d1436f5df4400bb12ff3d26c127f27fe80551cd9ce01a366c20dd0794b3cf73cca6e2c7e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1325067.exe

MD5 b3f82ed9162951686116917cb289a6a9
SHA1 97dc239281da64bbac0820e7feef85fa9833e4d7
SHA256 45cb81d7fd1ced6ab880766de6f63cd8b9be20864535f9aec772290d68db929d
SHA512 b642b22e54e8d22b97c151d61b468e36f6794e86cd4e22700d5971f6d1436f5df4400bb12ff3d26c127f27fe80551cd9ce01a366c20dd0794b3cf73cca6e2c7e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2793218.exe

MD5 11c195b36eefccbe7c00a0737af92439
SHA1 e7ea94e4b70ea989fd85cbf1061bef635756534a
SHA256 eda2552cb447a44f47349ae5b27d9472728f4df1c6997cb9441a190f1d9fb914
SHA512 e86060f93e52f1cbfdea5ff9bcfb0672711f0cb85dc3016d372693f7eec09b4e7ba8fabafc61b59114cb4701f834ac9e3f0d39f0a55bb272b843822ccd40f484

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2793218.exe

MD5 11c195b36eefccbe7c00a0737af92439
SHA1 e7ea94e4b70ea989fd85cbf1061bef635756534a
SHA256 eda2552cb447a44f47349ae5b27d9472728f4df1c6997cb9441a190f1d9fb914
SHA512 e86060f93e52f1cbfdea5ff9bcfb0672711f0cb85dc3016d372693f7eec09b4e7ba8fabafc61b59114cb4701f834ac9e3f0d39f0a55bb272b843822ccd40f484

memory/2076-24-0x0000000000D20000-0x0000000000D50000-memory.dmp

memory/2076-25-0x0000000073E60000-0x0000000074610000-memory.dmp

memory/2076-26-0x0000000005E20000-0x0000000006438000-memory.dmp

memory/2076-27-0x0000000005910000-0x0000000005A1A000-memory.dmp

memory/2076-29-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/2076-28-0x0000000005800000-0x0000000005812000-memory.dmp

memory/2076-30-0x0000000005860000-0x000000000589C000-memory.dmp

memory/2076-31-0x0000000073E60000-0x0000000074610000-memory.dmp

memory/2076-32-0x00000000055F0000-0x0000000005600000-memory.dmp