Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-s6b3vsab81
Target 7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de
SHA256 7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de

Threat Level: Known bad

The file 7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:43

Reported

2023-09-10 15:46

Platform

win10-20230831-en

Max time kernel

134s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe
PID 2056 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe
PID 2056 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe
PID 4436 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe
PID 4436 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe
PID 4436 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe
PID 2468 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe
PID 2468 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe
PID 2468 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe
PID 2468 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe
PID 2468 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe
PID 2468 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de.exe

"C:\Users\Admin\AppData\Local\Temp\7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe

MD5 9abee56bba72cea4c3c5bdff83832c6b
SHA1 8de97dfd6994d1d41a54a2cebe955a381f881aba
SHA256 9ab5a58abb194ccadf7da859b048462705e0d36ea8980c2f183cab8acef76072
SHA512 7b147f8e793d1865436fb07fea29e2f3dd5764f8988507c2bca8f3ac13db67c80f0833f76c0e81f86ca7af5c40c54888824a2c07f8124b041d507b1979f90146

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe

MD5 9abee56bba72cea4c3c5bdff83832c6b
SHA1 8de97dfd6994d1d41a54a2cebe955a381f881aba
SHA256 9ab5a58abb194ccadf7da859b048462705e0d36ea8980c2f183cab8acef76072
SHA512 7b147f8e793d1865436fb07fea29e2f3dd5764f8988507c2bca8f3ac13db67c80f0833f76c0e81f86ca7af5c40c54888824a2c07f8124b041d507b1979f90146

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe

MD5 717ffe37123b1b214c99f863eae3c4b9
SHA1 4651b6c2406ecfc676ea8e6a885eb8348ae0d5b9
SHA256 8fa6c37b1491006a75580068c90261f02795920912762e44cfa0bb04fb75cd31
SHA512 d44f1b6e86e8d41337eb60da3d51066e7298ab6f589837c521cdba330927ec60fa4c3a3394e0e202dbf1265ad55738a3ae5cee2e384826c0da5046b9090dad13

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe

MD5 717ffe37123b1b214c99f863eae3c4b9
SHA1 4651b6c2406ecfc676ea8e6a885eb8348ae0d5b9
SHA256 8fa6c37b1491006a75580068c90261f02795920912762e44cfa0bb04fb75cd31
SHA512 d44f1b6e86e8d41337eb60da3d51066e7298ab6f589837c521cdba330927ec60fa4c3a3394e0e202dbf1265ad55738a3ae5cee2e384826c0da5046b9090dad13

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe

MD5 e30ea88baabea0fa133892851b8e6000
SHA1 67fca9ae56a39b7f33584b18343bb84f24bc57f2
SHA256 5ed7464b1082793fa734dbaed8de1c728a330868539fb163257bcf6dc4668a23
SHA512 4616e7fc445321c2233977929f208dab80c6c0d87ee5d1ce118a63659cd0273e3e7aa05c542c07245f805d528c5629279e682bcd009c20b86b040fb949d5e7e2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe

MD5 e30ea88baabea0fa133892851b8e6000
SHA1 67fca9ae56a39b7f33584b18343bb84f24bc57f2
SHA256 5ed7464b1082793fa734dbaed8de1c728a330868539fb163257bcf6dc4668a23
SHA512 4616e7fc445321c2233977929f208dab80c6c0d87ee5d1ce118a63659cd0273e3e7aa05c542c07245f805d528c5629279e682bcd009c20b86b040fb949d5e7e2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe

MD5 388b729a36fc92f407524afd1393c388
SHA1 947583ca2c0b6f8f3ccee7534f2951fdb76cf9f1
SHA256 f72ac12d68f02af8a9857bfdd6be6f51afa2deef78d576b72fa176112ec5af68
SHA512 bdd32994a3f6b7e811ef65dbeb7e12626b8097575a17570352474145b9d8a173f586bd4956bb9f039f377cdbcdccf32244ee278a248970823187a5b3ac4fdc18

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe

MD5 388b729a36fc92f407524afd1393c388
SHA1 947583ca2c0b6f8f3ccee7534f2951fdb76cf9f1
SHA256 f72ac12d68f02af8a9857bfdd6be6f51afa2deef78d576b72fa176112ec5af68
SHA512 bdd32994a3f6b7e811ef65dbeb7e12626b8097575a17570352474145b9d8a173f586bd4956bb9f039f377cdbcdccf32244ee278a248970823187a5b3ac4fdc18

memory/1864-24-0x0000000000DC0000-0x0000000000DF0000-memory.dmp

memory/1864-25-0x0000000072E00000-0x00000000734EE000-memory.dmp

memory/1864-26-0x0000000003030000-0x0000000003036000-memory.dmp

memory/1864-27-0x0000000005ED0000-0x00000000064D6000-memory.dmp

memory/1864-28-0x00000000059D0000-0x0000000005ADA000-memory.dmp

memory/1864-29-0x0000000005710000-0x0000000005722000-memory.dmp

memory/1864-30-0x0000000005770000-0x00000000057AE000-memory.dmp

memory/1864-31-0x00000000058C0000-0x000000000590B000-memory.dmp

memory/1864-32-0x0000000072E00000-0x00000000734EE000-memory.dmp