Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rxbv3ahg9y
Target 6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e
SHA256 6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e

Threat Level: Known bad

The file 6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:33

Reported

2023-09-10 14:36

Platform

win10v2004-20230831-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe
PID 4664 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe
PID 4664 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe
PID 3688 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe
PID 3688 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe
PID 3688 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe
PID 4996 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe
PID 4996 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe
PID 4996 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe
PID 4996 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe
PID 4996 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe
PID 4996 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e.exe

"C:\Users\Admin\AppData\Local\Temp\6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe

MD5 259b6e6f2d9c1330f6fb1635b45c485e
SHA1 fb9eb2e3d11c1ca11993aea02a775cb9a8ae7bf1
SHA256 ff29b2efbb8c866cc7a9cf0de891aca96657015a71c01d5547bae063eea856af
SHA512 7ee052b78e3db473a2f6e7fc2ffa4a841983fcbd2789673e04abfe893eda0f641327397eef0d6b14b8d61ccb6b6356ffb5a954aa86a59a6ab670f9abf805289d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe

MD5 259b6e6f2d9c1330f6fb1635b45c485e
SHA1 fb9eb2e3d11c1ca11993aea02a775cb9a8ae7bf1
SHA256 ff29b2efbb8c866cc7a9cf0de891aca96657015a71c01d5547bae063eea856af
SHA512 7ee052b78e3db473a2f6e7fc2ffa4a841983fcbd2789673e04abfe893eda0f641327397eef0d6b14b8d61ccb6b6356ffb5a954aa86a59a6ab670f9abf805289d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe

MD5 a681127234606951d05f4b6a130caa38
SHA1 7d90a66aeed3aa084bb426c3a936812423bc42ea
SHA256 09660f9431baf92ebd0dff6b84692d4b10851fb389607e476e142d982bcb611d
SHA512 d6d8f39b739808c2fec11a3f5961465e4a04b514a41a05949c33f9e65683783fd95445b28e8890b8b828c372b049f0460dd9f06c346e9867913b38dd185f1f5b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe

MD5 a681127234606951d05f4b6a130caa38
SHA1 7d90a66aeed3aa084bb426c3a936812423bc42ea
SHA256 09660f9431baf92ebd0dff6b84692d4b10851fb389607e476e142d982bcb611d
SHA512 d6d8f39b739808c2fec11a3f5961465e4a04b514a41a05949c33f9e65683783fd95445b28e8890b8b828c372b049f0460dd9f06c346e9867913b38dd185f1f5b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe

MD5 c456285d95a344c3b1173f2541048606
SHA1 899c3329db1f556523d388edeac5d3453b84728b
SHA256 e3a1251146ee19acf8d19b6d7bf19be621f04d47da5e3a4acd8f7e7d7c04da20
SHA512 714d7b94a814baf24e7460f399e8e5ad1438d57caafe2c431cac82b7cebd133bd4cacd1ea463a6d97cd56d7da976f6b902c53d51b601639b0648e33df086a0a0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe

MD5 c456285d95a344c3b1173f2541048606
SHA1 899c3329db1f556523d388edeac5d3453b84728b
SHA256 e3a1251146ee19acf8d19b6d7bf19be621f04d47da5e3a4acd8f7e7d7c04da20
SHA512 714d7b94a814baf24e7460f399e8e5ad1438d57caafe2c431cac82b7cebd133bd4cacd1ea463a6d97cd56d7da976f6b902c53d51b601639b0648e33df086a0a0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe

MD5 8781337438331a46121b30d3f0e9ba47
SHA1 1192597acabb7a4c0ab72cd6f35fa7271773c9f4
SHA256 8815416217b2d30996704e8fd1358a319bdacd01b4114436fa040484e8b49bd0
SHA512 442b39680c66613e3aa2dc6b57f303dd91417eb22833152a534333e878ada4b95ec66a7d0fa39b8fdfbf2a74d7182cedf49a7097b2ee1c20254211eea3ef1f09

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe

MD5 8781337438331a46121b30d3f0e9ba47
SHA1 1192597acabb7a4c0ab72cd6f35fa7271773c9f4
SHA256 8815416217b2d30996704e8fd1358a319bdacd01b4114436fa040484e8b49bd0
SHA512 442b39680c66613e3aa2dc6b57f303dd91417eb22833152a534333e878ada4b95ec66a7d0fa39b8fdfbf2a74d7182cedf49a7097b2ee1c20254211eea3ef1f09

memory/3316-24-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/3316-25-0x00000000007F0000-0x0000000000820000-memory.dmp

memory/3316-26-0x000000000ACE0000-0x000000000B2F8000-memory.dmp

memory/3316-27-0x000000000A7D0000-0x000000000A8DA000-memory.dmp

memory/3316-28-0x0000000005230000-0x0000000005240000-memory.dmp

memory/3316-29-0x000000000A6E0000-0x000000000A6F2000-memory.dmp

memory/3316-30-0x000000000A740000-0x000000000A77C000-memory.dmp

memory/3316-31-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/3316-32-0x0000000005230000-0x0000000005240000-memory.dmp