Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rtfd3shg36
Target 46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e
SHA256 46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e

Threat Level: Known bad

The file 46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:28

Reported

2023-09-10 14:31

Platform

win10v2004-20230831-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe
PID 4496 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe
PID 4496 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe
PID 1712 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe
PID 1712 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe
PID 1712 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe
PID 2080 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe
PID 2080 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe
PID 2080 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe
PID 2080 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe
PID 2080 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe
PID 2080 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e.exe

"C:\Users\Admin\AppData\Local\Temp\46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe

MD5 66f96a1f7f258b5f5d4ce1df743fc602
SHA1 7280b0aba3fa25e9e728eb7e44634014f93dc37a
SHA256 22c9d85ae9b9ce4a08cec3baee49ddef74f1f95f5dad22e178744684a49ea572
SHA512 e1e8022ffd6c4d7f0d60695fb18cd096aeacbe7eb36d6a5f8f05526c99133941c6b80ba99864e5a74cc630448523b97e63d034360a3853f9c8e80c8672481026

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe

MD5 66f96a1f7f258b5f5d4ce1df743fc602
SHA1 7280b0aba3fa25e9e728eb7e44634014f93dc37a
SHA256 22c9d85ae9b9ce4a08cec3baee49ddef74f1f95f5dad22e178744684a49ea572
SHA512 e1e8022ffd6c4d7f0d60695fb18cd096aeacbe7eb36d6a5f8f05526c99133941c6b80ba99864e5a74cc630448523b97e63d034360a3853f9c8e80c8672481026

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe

MD5 5f0e7c3f626a9a74018d98dbc9a49e72
SHA1 b71415979142c02a9e82db8d4a5fc2a7a1bfa65d
SHA256 01b6b5437c6e183a342ab3f156816d59f133c66afea79501d34be11f56159303
SHA512 de33e6e54a3cdbf3474eedd56e039e9856c7467ffbc942aa3c80b7b114d0836cc538e8d62a35102e9f93c1dc09958a55f85ab58e1df9c00a0b5a57d04e5ffa86

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe

MD5 5f0e7c3f626a9a74018d98dbc9a49e72
SHA1 b71415979142c02a9e82db8d4a5fc2a7a1bfa65d
SHA256 01b6b5437c6e183a342ab3f156816d59f133c66afea79501d34be11f56159303
SHA512 de33e6e54a3cdbf3474eedd56e039e9856c7467ffbc942aa3c80b7b114d0836cc538e8d62a35102e9f93c1dc09958a55f85ab58e1df9c00a0b5a57d04e5ffa86

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe

MD5 7c6bad29a69ea01e9c25ba6718984e20
SHA1 47d5982e258323be0f47d315a8d1e601ec47dc18
SHA256 843d24934838a19b384530f7e6faad3be4f80453dc6fe706c702609fc26878b1
SHA512 15fe6baa6255eacda70ae8c06d08f5d0b53e4c2f362cc5efc96515f1667be03e12e7c91b02b39421b671760b543256d33f726a64b33f665679a7d505b4b253ab

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe

MD5 7c6bad29a69ea01e9c25ba6718984e20
SHA1 47d5982e258323be0f47d315a8d1e601ec47dc18
SHA256 843d24934838a19b384530f7e6faad3be4f80453dc6fe706c702609fc26878b1
SHA512 15fe6baa6255eacda70ae8c06d08f5d0b53e4c2f362cc5efc96515f1667be03e12e7c91b02b39421b671760b543256d33f726a64b33f665679a7d505b4b253ab

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe

MD5 f85757575057789dd8bd8dca77a4c0c5
SHA1 fb4fc2d66758ad3e8bde01b15149c2b3f76cf44b
SHA256 ed518349e219582792c340878e6b91cd14c7c6ad1bb276c69dcb0cedabb8ef5d
SHA512 6c0437da66218e44424da2b7cb7e68810939851b41affc4d36dff19067e5ae3817c3b248fe644b6203e3ad1b83f46f2c03943061a83e68d4a1f7fde8f4124d93

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe

MD5 f85757575057789dd8bd8dca77a4c0c5
SHA1 fb4fc2d66758ad3e8bde01b15149c2b3f76cf44b
SHA256 ed518349e219582792c340878e6b91cd14c7c6ad1bb276c69dcb0cedabb8ef5d
SHA512 6c0437da66218e44424da2b7cb7e68810939851b41affc4d36dff19067e5ae3817c3b248fe644b6203e3ad1b83f46f2c03943061a83e68d4a1f7fde8f4124d93

memory/2172-24-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2172-25-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/2172-26-0x0000000005420000-0x0000000005A38000-memory.dmp

memory/2172-27-0x0000000004F10000-0x000000000501A000-memory.dmp

memory/2172-29-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/2172-28-0x0000000004E50000-0x0000000004E62000-memory.dmp

memory/2172-30-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

memory/2172-31-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2172-32-0x0000000004BF0000-0x0000000004C00000-memory.dmp