Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rqfknshg6v
Target c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0
SHA256 c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0

Threat Level: Known bad

The file c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:23

Reported

2023-09-10 14:26

Platform

win10-20230831-en

Max time kernel

135s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4744 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe
PID 4744 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe
PID 4744 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe
PID 3180 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe
PID 3180 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe
PID 3180 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe
PID 2248 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe
PID 2248 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe
PID 2248 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe
PID 2248 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe
PID 2248 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe
PID 2248 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0.exe

"C:\Users\Admin\AppData\Local\Temp\c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe

MD5 d746aca1a02da777428721426b71173a
SHA1 e399ba07b96d66c1ca94163120d6ddb0713136ea
SHA256 8151305704079a52672c5460b1acc501ed92fdaa5cbadf5597ad11b05cd31321
SHA512 85d8ac2d68d7e29ec55d6dcad21b0684f2dc294c4184279dc548fd79f43b14bc0e8f58d80a8a957d50763b217dc1cf76ef22af0c32583909659698b7cabeb277

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe

MD5 d746aca1a02da777428721426b71173a
SHA1 e399ba07b96d66c1ca94163120d6ddb0713136ea
SHA256 8151305704079a52672c5460b1acc501ed92fdaa5cbadf5597ad11b05cd31321
SHA512 85d8ac2d68d7e29ec55d6dcad21b0684f2dc294c4184279dc548fd79f43b14bc0e8f58d80a8a957d50763b217dc1cf76ef22af0c32583909659698b7cabeb277

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe

MD5 2f6967348d882aa9411ae49b5d4ee86a
SHA1 dad514ee457072d01e6931ac72d839a3dfaaf9c8
SHA256 1a13962a0f1d9c75d806a8d3eb877b6546164f832ce449293599f817019690a6
SHA512 57df2fc1cfcb9306be4121b914a080cf7db778b56cdaa647a7ead8abc36e624dc9eea6f1f3c41d05fe89f008ec4d7ca4099d190a4b191ed9c1842fd961ea9964

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe

MD5 2f6967348d882aa9411ae49b5d4ee86a
SHA1 dad514ee457072d01e6931ac72d839a3dfaaf9c8
SHA256 1a13962a0f1d9c75d806a8d3eb877b6546164f832ce449293599f817019690a6
SHA512 57df2fc1cfcb9306be4121b914a080cf7db778b56cdaa647a7ead8abc36e624dc9eea6f1f3c41d05fe89f008ec4d7ca4099d190a4b191ed9c1842fd961ea9964

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe

MD5 0c8c4061602d1326e80bdd610f5f412e
SHA1 538d05ecef866fc4de093974b9d4d38692c8edc5
SHA256 da1f4be5289dbafe034250661a679d0c8382aac17f6898a4f250bbeae72a40d0
SHA512 3d8af05add2ee522645007454c473a5e3fa401b758c67f404688f83634302a880e32e7b9cfcaa1d99f8634ab6d911ce6ae18110fb89db33890def2cf34a742ea

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe

MD5 0c8c4061602d1326e80bdd610f5f412e
SHA1 538d05ecef866fc4de093974b9d4d38692c8edc5
SHA256 da1f4be5289dbafe034250661a679d0c8382aac17f6898a4f250bbeae72a40d0
SHA512 3d8af05add2ee522645007454c473a5e3fa401b758c67f404688f83634302a880e32e7b9cfcaa1d99f8634ab6d911ce6ae18110fb89db33890def2cf34a742ea

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe

MD5 026bb3ccc6781d041e4e1d1c5e930a48
SHA1 74cedcdc01119ad2e652475a3c61b3259f8f0277
SHA256 11f2cbc7995c850b0fb593240b8dc1a3acb26ac7dfdc31c02aa37c7440eab7ef
SHA512 01fbe0304e2d7b403f01a549578326d271319d16e0b9c99446a67e413f6cc01745ad0ffa7c8701b1239d68e36b39b3ef9bcccfd65782e89391bf9ad71e5e46d5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe

MD5 026bb3ccc6781d041e4e1d1c5e930a48
SHA1 74cedcdc01119ad2e652475a3c61b3259f8f0277
SHA256 11f2cbc7995c850b0fb593240b8dc1a3acb26ac7dfdc31c02aa37c7440eab7ef
SHA512 01fbe0304e2d7b403f01a549578326d271319d16e0b9c99446a67e413f6cc01745ad0ffa7c8701b1239d68e36b39b3ef9bcccfd65782e89391bf9ad71e5e46d5

memory/5108-24-0x0000000000440000-0x0000000000470000-memory.dmp

memory/5108-25-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/5108-26-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

memory/5108-27-0x000000000A6D0000-0x000000000ACD6000-memory.dmp

memory/5108-28-0x000000000A250000-0x000000000A35A000-memory.dmp

memory/5108-29-0x000000000A180000-0x000000000A192000-memory.dmp

memory/5108-30-0x000000000A1E0000-0x000000000A21E000-memory.dmp

memory/5108-31-0x000000000A360000-0x000000000A3AB000-memory.dmp

memory/5108-32-0x0000000073800000-0x0000000073EEE000-memory.dmp