Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rc1npahf31
Target aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321
SHA256 aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321

Threat Level: Known bad

The file aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:03

Reported

2023-09-10 14:06

Platform

win10-20230831-en

Max time kernel

134s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe
PID 2892 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe
PID 2892 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe
PID 4116 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe
PID 4116 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe
PID 4116 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe
PID 2292 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4315753.exe
PID 2292 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4315753.exe
PID 2292 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4315753.exe
PID 2292 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2483752.exe
PID 2292 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2483752.exe
PID 2292 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2483752.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321.exe

"C:\Users\Admin\AppData\Local\Temp\aa44655ab4df2d57f05b16fb6f57fd4c2d8d3038048215d99ae7312941af1321.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4315753.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4315753.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2483752.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2483752.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 1.0.9.d.c.d.d.7.8.5.d.1.7.0.c.9.1.0.9.d.c.d.d.7.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe

MD5 a5ac0adbab0872b55d9f5cdd73dcec2e
SHA1 15dd1bca3d495527284143cb5eda2d1ab41c40b8
SHA256 90bc6ee3ef6d2f23a8761c2144c7c8be630bb4dfd1d0e6d71f78fd5d15caab28
SHA512 77c8ff9040a00766104d8476b4026315bc936386d1ec213f234df17b37eef84648b578a38f493cea7546ae3e7f0e6fd7d8a0477645f76541c48215c175f996ee

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8976518.exe

MD5 a5ac0adbab0872b55d9f5cdd73dcec2e
SHA1 15dd1bca3d495527284143cb5eda2d1ab41c40b8
SHA256 90bc6ee3ef6d2f23a8761c2144c7c8be630bb4dfd1d0e6d71f78fd5d15caab28
SHA512 77c8ff9040a00766104d8476b4026315bc936386d1ec213f234df17b37eef84648b578a38f493cea7546ae3e7f0e6fd7d8a0477645f76541c48215c175f996ee

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe

MD5 8e03a6467984526c6e88fc4707c76702
SHA1 05c188f84467ddae39b721a5c74d0649c35ef7a2
SHA256 638cb3c85e631d1e2214d9bdfbd92ad8cca6a0d60b8b67a98c07b8b4b16aada8
SHA512 08a9063797d06790a2f50bb6452f9eb3410b0ee90d4ab7c076eb2279e23c37a480c2c153d7d38729286b25d713230a21251feb1527027884ee01f3c5f08feb43

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3357890.exe

MD5 8e03a6467984526c6e88fc4707c76702
SHA1 05c188f84467ddae39b721a5c74d0649c35ef7a2
SHA256 638cb3c85e631d1e2214d9bdfbd92ad8cca6a0d60b8b67a98c07b8b4b16aada8
SHA512 08a9063797d06790a2f50bb6452f9eb3410b0ee90d4ab7c076eb2279e23c37a480c2c153d7d38729286b25d713230a21251feb1527027884ee01f3c5f08feb43

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4315753.exe

MD5 955eaf5683391d78fb840a75a3f229e8
SHA1 102c5e3fbe1dee7485808e1cf3c28d5cbb8cc8d7
SHA256 be68f7a1c963cc524b6c7c594b1adc18531c9d1a7cedd9a7cdc33f0ec1256e4f
SHA512 3a70375ebe3840690b308f920e8c5c7bc0a433e4919d8f6f31b1d017a6a72ee5e4fb234f18d79f59f454bee454fd272da63c26bc54d30c0d8a3326bc96fa1219

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4315753.exe

MD5 955eaf5683391d78fb840a75a3f229e8
SHA1 102c5e3fbe1dee7485808e1cf3c28d5cbb8cc8d7
SHA256 be68f7a1c963cc524b6c7c594b1adc18531c9d1a7cedd9a7cdc33f0ec1256e4f
SHA512 3a70375ebe3840690b308f920e8c5c7bc0a433e4919d8f6f31b1d017a6a72ee5e4fb234f18d79f59f454bee454fd272da63c26bc54d30c0d8a3326bc96fa1219

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2483752.exe

MD5 89aa446ad97def32943dc98a77a79e85
SHA1 756841a9c2a8684ecdb351a9363544ca75688f87
SHA256 c419c5eca730f62c34af833b458d8ceb75f90d9835eed9f46b4c269fe34cdfb3
SHA512 4cb10075a7a707528f4f81f70c0ef7737f3542b3f437f31d1f23eb21e2f8e43106710a6d92b47f45e99d439690b4ef1028621d986481385303249425ffa0cc62

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2483752.exe

MD5 89aa446ad97def32943dc98a77a79e85
SHA1 756841a9c2a8684ecdb351a9363544ca75688f87
SHA256 c419c5eca730f62c34af833b458d8ceb75f90d9835eed9f46b4c269fe34cdfb3
SHA512 4cb10075a7a707528f4f81f70c0ef7737f3542b3f437f31d1f23eb21e2f8e43106710a6d92b47f45e99d439690b4ef1028621d986481385303249425ffa0cc62

memory/1692-24-0x0000000000970000-0x00000000009A0000-memory.dmp

memory/1692-25-0x0000000073310000-0x00000000739FE000-memory.dmp

memory/1692-26-0x0000000002CA0000-0x0000000002CA6000-memory.dmp

memory/1692-27-0x000000000AC90000-0x000000000B296000-memory.dmp

memory/1692-28-0x000000000A790000-0x000000000A89A000-memory.dmp

memory/1692-29-0x000000000A6B0000-0x000000000A6C2000-memory.dmp

memory/1692-30-0x000000000A710000-0x000000000A74E000-memory.dmp

memory/1692-31-0x000000000A8A0000-0x000000000A8EB000-memory.dmp

memory/1692-32-0x0000000073310000-0x00000000739FE000-memory.dmp