Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rz8mtahg85
Target 0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd
SHA256 0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd

Threat Level: Known bad

The file 0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:38

Reported

2023-09-10 14:41

Platform

win10-20230831-en

Max time kernel

138s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe
PID 4788 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe
PID 4788 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe
PID 2804 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe
PID 2804 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe
PID 2804 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe
PID 536 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe
PID 536 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe
PID 536 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe
PID 536 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe
PID 536 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe
PID 536 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd.exe

"C:\Users\Admin\AppData\Local\Temp\0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe

MD5 46ec7972d62e03ce67067190534a66cf
SHA1 3499f89e0154987614793a5e500704eb6addfc44
SHA256 e4ba56513a569f4bb2b78229eb6e8b0d99160be97f641055ced4abe49ae9a15a
SHA512 9d50e1f34f69ab48e2516c6f4286fdfa4f086068152c90ceaf6df1f0379fba6c273c29eb0bb12e122da85182d5d9bb5c20d4d204592b42dbd70643a10441cf07

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe

MD5 46ec7972d62e03ce67067190534a66cf
SHA1 3499f89e0154987614793a5e500704eb6addfc44
SHA256 e4ba56513a569f4bb2b78229eb6e8b0d99160be97f641055ced4abe49ae9a15a
SHA512 9d50e1f34f69ab48e2516c6f4286fdfa4f086068152c90ceaf6df1f0379fba6c273c29eb0bb12e122da85182d5d9bb5c20d4d204592b42dbd70643a10441cf07

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe

MD5 fe4d16aa6cb5d422a0334c1aa5d3e134
SHA1 32ee6cd02b203367d38340b180fee3011531ff1c
SHA256 ac4935acba3b9d91a0d6aadb2e038186e8ffd285fade204da7cdfd4b499b1691
SHA512 ce86f16f918979437c5fda69a9e738448ef3cf6137c4553f46552a962889f0b928b2799a1542dec3018af942c6dc59554bed316f8faf9c7b933dbc54e02ef8a2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe

MD5 fe4d16aa6cb5d422a0334c1aa5d3e134
SHA1 32ee6cd02b203367d38340b180fee3011531ff1c
SHA256 ac4935acba3b9d91a0d6aadb2e038186e8ffd285fade204da7cdfd4b499b1691
SHA512 ce86f16f918979437c5fda69a9e738448ef3cf6137c4553f46552a962889f0b928b2799a1542dec3018af942c6dc59554bed316f8faf9c7b933dbc54e02ef8a2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe

MD5 34bd80037fecfd3586ce91be31e9268f
SHA1 5567a473fb40973a7b4ba65eecf303d25c8b2aed
SHA256 e704b5e0761839bf6125daba3d3fb00725c3889a64d16263f9af670b7f33c95e
SHA512 2f84896bbcf8f3f408c279e864ba475a921756c2ba3d64659335ad961ecfb62f38af82b7b535d1731e3c077b14e3b2d3df4089c9171346fd0e4701b59f5fd83a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe

MD5 34bd80037fecfd3586ce91be31e9268f
SHA1 5567a473fb40973a7b4ba65eecf303d25c8b2aed
SHA256 e704b5e0761839bf6125daba3d3fb00725c3889a64d16263f9af670b7f33c95e
SHA512 2f84896bbcf8f3f408c279e864ba475a921756c2ba3d64659335ad961ecfb62f38af82b7b535d1731e3c077b14e3b2d3df4089c9171346fd0e4701b59f5fd83a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe

MD5 9742b6d5abbc6b392c2f2204acc25767
SHA1 330c56d1b51059ae4dd72e5072abd581a6ac34dc
SHA256 82897620ebef7edf58d17d5c49dee9f7e9a0383d8276bc70e24e55df2ed31e41
SHA512 c426c9c6d659463c59de79800d0cca6244ed3ddd3ddf50ec3f8132d7e979d74fd9e652dbb4b90570b9737067584a65773accf4c30013d0072293537b09509cc8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe

MD5 9742b6d5abbc6b392c2f2204acc25767
SHA1 330c56d1b51059ae4dd72e5072abd581a6ac34dc
SHA256 82897620ebef7edf58d17d5c49dee9f7e9a0383d8276bc70e24e55df2ed31e41
SHA512 c426c9c6d659463c59de79800d0cca6244ed3ddd3ddf50ec3f8132d7e979d74fd9e652dbb4b90570b9737067584a65773accf4c30013d0072293537b09509cc8

memory/4264-24-0x0000000000E20000-0x0000000000E50000-memory.dmp

memory/4264-25-0x00000000734D0000-0x0000000073BBE000-memory.dmp

memory/4264-26-0x0000000002FE0000-0x0000000002FE6000-memory.dmp

memory/4264-27-0x000000000B1F0000-0x000000000B7F6000-memory.dmp

memory/4264-28-0x000000000AD70000-0x000000000AE7A000-memory.dmp

memory/4264-29-0x000000000ACA0000-0x000000000ACB2000-memory.dmp

memory/4264-30-0x000000000AD00000-0x000000000AD3E000-memory.dmp

memory/4264-31-0x000000000AE80000-0x000000000AECB000-memory.dmp

memory/4264-32-0x00000000734D0000-0x0000000073BBE000-memory.dmp