Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rjls4shf44
Target 6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde
SHA256 6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde

Threat Level: Known bad

The file 6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:13

Reported

2023-09-10 14:16

Platform

win10v2004-20230831-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe
PID 1576 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe
PID 1576 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe
PID 4388 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe
PID 4388 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe
PID 4388 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe
PID 1704 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe
PID 1704 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe
PID 1704 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe
PID 1704 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe
PID 1704 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe
PID 1704 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde.exe

"C:\Users\Admin\AppData\Local\Temp\6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe

MD5 f11816cf8eaf86c34c5f72667e1f1e36
SHA1 f72b54f0177df0de2c7f0acdeaabcc95dcca977b
SHA256 d12e8d26f4e96390b24e9a9b32fc85e084ac293fd4a82e656d93dcacec698d40
SHA512 e66ae1a5d8181e626130eb10d82931663c38755219bff877aee3a98f14b562723c042818347a06a92d8152fccc35a2063fd58d54e899a063256714305a396fe8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe

MD5 f11816cf8eaf86c34c5f72667e1f1e36
SHA1 f72b54f0177df0de2c7f0acdeaabcc95dcca977b
SHA256 d12e8d26f4e96390b24e9a9b32fc85e084ac293fd4a82e656d93dcacec698d40
SHA512 e66ae1a5d8181e626130eb10d82931663c38755219bff877aee3a98f14b562723c042818347a06a92d8152fccc35a2063fd58d54e899a063256714305a396fe8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe

MD5 6229f5cc7f7a4126432fe8cfd87537da
SHA1 126823fe3b4d596afa0455f0342c105670cea627
SHA256 35f8150d521573319ece91b07ff44b3ba3eac22b8e95966fa15b4ca3a8f0daaf
SHA512 b3c331b5e9b3eb887c90bfb501c276bddae8db6972d65c63610614dd34b97f2d8dc80e5fb34bfa391b2e49407e384b8cb12148ff5b020f510b00a311f567a677

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe

MD5 6229f5cc7f7a4126432fe8cfd87537da
SHA1 126823fe3b4d596afa0455f0342c105670cea627
SHA256 35f8150d521573319ece91b07ff44b3ba3eac22b8e95966fa15b4ca3a8f0daaf
SHA512 b3c331b5e9b3eb887c90bfb501c276bddae8db6972d65c63610614dd34b97f2d8dc80e5fb34bfa391b2e49407e384b8cb12148ff5b020f510b00a311f567a677

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe

MD5 c40d06d44b48b0f4a4a84922ac29301b
SHA1 455e9c947e794d30137bdb37f20ec9cb771a06cc
SHA256 ea053534386005a737f91009ebdfbd607151130239e615e7ea602abf546bd3b1
SHA512 a2e1b431393ea19853b6b6d649f3350f1836a1817d81a242d0815e622ae1eca27c711926f90eb82fe0b167322154dfca5f2bed13d8d6de65dce56173e666c9ca

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe

MD5 c40d06d44b48b0f4a4a84922ac29301b
SHA1 455e9c947e794d30137bdb37f20ec9cb771a06cc
SHA256 ea053534386005a737f91009ebdfbd607151130239e615e7ea602abf546bd3b1
SHA512 a2e1b431393ea19853b6b6d649f3350f1836a1817d81a242d0815e622ae1eca27c711926f90eb82fe0b167322154dfca5f2bed13d8d6de65dce56173e666c9ca

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe

MD5 968b79e1da850482a53bc5bed40ea787
SHA1 a5711d4237d9f3500f6c267a06dc47bb68220bf0
SHA256 1843f8ce47cbf884ed4ff04db72b0e2c5a1bb46477881bdfeb17474b82909ca7
SHA512 7e7cf48a6317d93e8a12f2b2cb89119de9e5a8c336114cff12308b112b29992dc9ae34df79931193c28ad739cf30fecd226e897ce4d67a21a608346f5d07793a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe

MD5 968b79e1da850482a53bc5bed40ea787
SHA1 a5711d4237d9f3500f6c267a06dc47bb68220bf0
SHA256 1843f8ce47cbf884ed4ff04db72b0e2c5a1bb46477881bdfeb17474b82909ca7
SHA512 7e7cf48a6317d93e8a12f2b2cb89119de9e5a8c336114cff12308b112b29992dc9ae34df79931193c28ad739cf30fecd226e897ce4d67a21a608346f5d07793a

memory/3420-24-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/3420-25-0x00000000004B0000-0x00000000004E0000-memory.dmp

memory/3420-26-0x000000000A980000-0x000000000AF98000-memory.dmp

memory/3420-27-0x000000000A470000-0x000000000A57A000-memory.dmp

memory/3420-28-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3420-29-0x000000000A3A0000-0x000000000A3B2000-memory.dmp

memory/3420-30-0x000000000A400000-0x000000000A43C000-memory.dmp

memory/3420-31-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/3420-32-0x0000000004FD0000-0x0000000004FE0000-memory.dmp