Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rfynhahf37
Target bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c
SHA256 bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c

Threat Level: Known bad

The file bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:08

Reported

2023-09-10 14:11

Platform

win10v2004-20230831-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe
PID 2584 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe
PID 2584 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe
PID 4280 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe
PID 4280 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe
PID 4280 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe
PID 2284 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe
PID 2284 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe
PID 2284 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe
PID 2284 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe
PID 2284 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe
PID 2284 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c.exe

"C:\Users\Admin\AppData\Local\Temp\bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe

MD5 177571e8876ad2182abc357a7e29ccbb
SHA1 dac8f766e3dc393e7e0d4e699e6b934c76c06b70
SHA256 9e6b9717c667c757d0a018b2700e5618afd01546cfcd2e319e9e889d78bf761c
SHA512 c66c397ef12f3d31f1db257fc5c18e0474b5d28853af396b7216da78e75bde52e384dd90e9f292980b782dae47af0466a0a33aa3dbd5b098f38fa0495f6a2cb0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe

MD5 177571e8876ad2182abc357a7e29ccbb
SHA1 dac8f766e3dc393e7e0d4e699e6b934c76c06b70
SHA256 9e6b9717c667c757d0a018b2700e5618afd01546cfcd2e319e9e889d78bf761c
SHA512 c66c397ef12f3d31f1db257fc5c18e0474b5d28853af396b7216da78e75bde52e384dd90e9f292980b782dae47af0466a0a33aa3dbd5b098f38fa0495f6a2cb0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe

MD5 e4b834639fe34ecfe7eaa709b6205522
SHA1 18b3d261327805dbab4b2ae7a684018dd76b22cb
SHA256 f31f13d7735b1d4f69b19345fd58ca2d6ce885445d4e2ac36e8ad7a70a16a7cc
SHA512 44587772930b48f4e541a3fea2297a8ef102a2d5f65e3952774f2a833029739de36fba60d0c47f2403385b1acf268b1b48094ce3db10d462965d3fe6d5e945ed

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe

MD5 e4b834639fe34ecfe7eaa709b6205522
SHA1 18b3d261327805dbab4b2ae7a684018dd76b22cb
SHA256 f31f13d7735b1d4f69b19345fd58ca2d6ce885445d4e2ac36e8ad7a70a16a7cc
SHA512 44587772930b48f4e541a3fea2297a8ef102a2d5f65e3952774f2a833029739de36fba60d0c47f2403385b1acf268b1b48094ce3db10d462965d3fe6d5e945ed

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe

MD5 802bb7b0dbb651daeeaea30acabf0bd3
SHA1 ab486299ddfc55dea4f6e67a5496b860c151bde8
SHA256 bd312dff389a8caf9999c4cfaad3d2b07778a650a0e00ab6fea74f8169bfd574
SHA512 2054ecfbd80aa146dde576fb27d4aff0db1847e31f5aac271cc227aebe678740bd1da71bdb9908d7ed8af7c9d23dc322cd450ccc2454d024f6d32170683176ac

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe

MD5 802bb7b0dbb651daeeaea30acabf0bd3
SHA1 ab486299ddfc55dea4f6e67a5496b860c151bde8
SHA256 bd312dff389a8caf9999c4cfaad3d2b07778a650a0e00ab6fea74f8169bfd574
SHA512 2054ecfbd80aa146dde576fb27d4aff0db1847e31f5aac271cc227aebe678740bd1da71bdb9908d7ed8af7c9d23dc322cd450ccc2454d024f6d32170683176ac

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe

MD5 f031a6fa3f5e72d19c34ae0989833bc7
SHA1 10d506f8c8ba945ff6ed3faad4825d6e164e40ae
SHA256 75042be8dd3700d2bfd43ddf5e85341823a5c6948e41774b4a5b7ee14d4c6090
SHA512 958c267c95f1448a33c508aa56e0b70c50cd40672af4b4f15b78fcc84b875e25260a4233ec55a43f4e1fe420c34fdc701e38c1b32aad96664d9019706a810f5e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe

MD5 f031a6fa3f5e72d19c34ae0989833bc7
SHA1 10d506f8c8ba945ff6ed3faad4825d6e164e40ae
SHA256 75042be8dd3700d2bfd43ddf5e85341823a5c6948e41774b4a5b7ee14d4c6090
SHA512 958c267c95f1448a33c508aa56e0b70c50cd40672af4b4f15b78fcc84b875e25260a4233ec55a43f4e1fe420c34fdc701e38c1b32aad96664d9019706a810f5e

memory/1284-24-0x0000000000130000-0x0000000000160000-memory.dmp

memory/1284-25-0x0000000074330000-0x0000000074AE0000-memory.dmp

memory/1284-26-0x0000000005160000-0x0000000005778000-memory.dmp

memory/1284-27-0x0000000004C50000-0x0000000004D5A000-memory.dmp

memory/1284-28-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/1284-29-0x00000000049C0000-0x00000000049D2000-memory.dmp

memory/1284-30-0x0000000004B40000-0x0000000004B7C000-memory.dmp

memory/1284-31-0x0000000074330000-0x0000000074AE0000-memory.dmp

memory/1284-32-0x0000000004A30000-0x0000000004A40000-memory.dmp