Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-r6s6pshh7z
Target 249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18
SHA256 249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18

Threat Level: Known bad

The file 249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:48

Reported

2023-09-10 14:51

Platform

win10-20230831-en

Max time kernel

137s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 872 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe
PID 872 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe
PID 872 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe
PID 4364 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe
PID 4364 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe
PID 4364 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe
PID 4112 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe
PID 4112 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe
PID 4112 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe
PID 4112 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe
PID 4112 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe
PID 4112 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe

Processes

C:\Users\Admin\AppData\Local\Temp\249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18.exe

"C:\Users\Admin\AppData\Local\Temp\249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe

MD5 e709cd894d6e91b74551ff5623c07b4f
SHA1 d7fd873c118b7265b9dc81cdb60d36c31039d3f3
SHA256 772a5cfac627a06c146308f49ae5210c8d3c9c4f2bd495e55aee31db9789a3c9
SHA512 6cd3b019b2646be32968458ec25f56050ad19910cfd178aa9d04de22bb9ff6676763ac903cc6e3e825c227f7b162e440ca8d8f922ae4a763e08e90d1662962fa

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe

MD5 e709cd894d6e91b74551ff5623c07b4f
SHA1 d7fd873c118b7265b9dc81cdb60d36c31039d3f3
SHA256 772a5cfac627a06c146308f49ae5210c8d3c9c4f2bd495e55aee31db9789a3c9
SHA512 6cd3b019b2646be32968458ec25f56050ad19910cfd178aa9d04de22bb9ff6676763ac903cc6e3e825c227f7b162e440ca8d8f922ae4a763e08e90d1662962fa

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe

MD5 a267d33ccfe820904bb289f55de59e71
SHA1 dc0a6f8b23fa28817feb9e34a0d1cccfc648fb48
SHA256 8b6c928c73c589cd67892c0f635908e3c7bf048d6ca16f20ff4f1112df899373
SHA512 f8ca79000a556ea4a9fea7f27e0103360084dff945fefe6cc5a1772cb7eea0fe0ae6fb85c7b253645d22082958e4acb8fb42c17b60f308b8dba4685eea9ee7f9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe

MD5 a267d33ccfe820904bb289f55de59e71
SHA1 dc0a6f8b23fa28817feb9e34a0d1cccfc648fb48
SHA256 8b6c928c73c589cd67892c0f635908e3c7bf048d6ca16f20ff4f1112df899373
SHA512 f8ca79000a556ea4a9fea7f27e0103360084dff945fefe6cc5a1772cb7eea0fe0ae6fb85c7b253645d22082958e4acb8fb42c17b60f308b8dba4685eea9ee7f9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe

MD5 6ba454fb0fc0e2bfa07d1c7888e270f5
SHA1 6eeab94bcc470d48bd35e90f2dd130fcac2de63b
SHA256 0d5f3fe3cf36e87a1c075dc25f91ccdcd6c193af90644432859adbacb940ac56
SHA512 9a4ebc3ea4150987d22916e109ceee48eff20701b2ec815fcc85a0151e1d866af5554cd5af899cf5c4948488a55f6c96aca860db2c0609062ca5f4fbbd8d01db

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe

MD5 6ba454fb0fc0e2bfa07d1c7888e270f5
SHA1 6eeab94bcc470d48bd35e90f2dd130fcac2de63b
SHA256 0d5f3fe3cf36e87a1c075dc25f91ccdcd6c193af90644432859adbacb940ac56
SHA512 9a4ebc3ea4150987d22916e109ceee48eff20701b2ec815fcc85a0151e1d866af5554cd5af899cf5c4948488a55f6c96aca860db2c0609062ca5f4fbbd8d01db

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe

MD5 66a69f666d330e7e5740b6c2294948b7
SHA1 d1e8d96498a065463a43fd8ce52b847a62cbf63e
SHA256 c2fea801ddb8b11ea981097bba0a8336fd608d64b849c8643db42a7b0a56c135
SHA512 f4cfd4ed6b2f7c3c1c0076acf79dab88707f74a34cc3a604499929dbe8cda4fdf1fb29f1743ef0fd4049efb6e1e91cc555e0cfe13e42a48f8cf16c45244015c3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe

MD5 66a69f666d330e7e5740b6c2294948b7
SHA1 d1e8d96498a065463a43fd8ce52b847a62cbf63e
SHA256 c2fea801ddb8b11ea981097bba0a8336fd608d64b849c8643db42a7b0a56c135
SHA512 f4cfd4ed6b2f7c3c1c0076acf79dab88707f74a34cc3a604499929dbe8cda4fdf1fb29f1743ef0fd4049efb6e1e91cc555e0cfe13e42a48f8cf16c45244015c3

memory/2608-24-0x0000000000FB0000-0x0000000000FE0000-memory.dmp

memory/2608-25-0x0000000073530000-0x0000000073C1E000-memory.dmp

memory/2608-26-0x0000000005730000-0x0000000005736000-memory.dmp

memory/2608-27-0x000000000B230000-0x000000000B836000-memory.dmp

memory/2608-28-0x000000000ADC0000-0x000000000AECA000-memory.dmp

memory/2608-29-0x000000000ACF0000-0x000000000AD02000-memory.dmp

memory/2608-30-0x000000000AD50000-0x000000000AD8E000-memory.dmp

memory/2608-31-0x000000000AED0000-0x000000000AF1B000-memory.dmp

memory/2608-32-0x0000000073530000-0x0000000073C1E000-memory.dmp