Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-s893nsac33
Target 211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03
SHA256 211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03

Threat Level: Known bad

The file 211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:48

Reported

2023-09-10 15:51

Platform

win10-20230703-en

Max time kernel

137s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe
PID 3416 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe
PID 3416 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe
PID 3192 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe
PID 3192 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe
PID 3192 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe
PID 2368 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe
PID 2368 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe
PID 2368 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe
PID 2368 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe
PID 2368 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe
PID 2368 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe

Processes

C:\Users\Admin\AppData\Local\Temp\211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03.exe

"C:\Users\Admin\AppData\Local\Temp\211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe

MD5 fcd5f6a0dfcb6d948c708519c709d216
SHA1 96179407b1534170a447b9cb362b71fbb4cef12a
SHA256 361b588360a7734d69f7d565af91c4e553027d410d073ed35a94c365250d2574
SHA512 11dfd56f22dc7c60fa57709d2741a3f1cacc3004b152f243b3d7b120624b54849126567e4a673894d4a7bd9370a7533f696646aaa2bfbb032167b171b1835710

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe

MD5 fcd5f6a0dfcb6d948c708519c709d216
SHA1 96179407b1534170a447b9cb362b71fbb4cef12a
SHA256 361b588360a7734d69f7d565af91c4e553027d410d073ed35a94c365250d2574
SHA512 11dfd56f22dc7c60fa57709d2741a3f1cacc3004b152f243b3d7b120624b54849126567e4a673894d4a7bd9370a7533f696646aaa2bfbb032167b171b1835710

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe

MD5 fd4675659ac802d24a875807178dc50e
SHA1 579b740a15d1e05323f70a45ee95374d02769d16
SHA256 c049902276db963bab6c40e39cc25de38fa27df673141f7ce09aed96819302de
SHA512 c46ee1a8bb5dc8ce5effda095ef1a552db41dfcd3db74a7172090185a3fed4efd56e56a86528e5c8d7348cdbee354157789046e2d95c1116b4a419d2f605283f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe

MD5 fd4675659ac802d24a875807178dc50e
SHA1 579b740a15d1e05323f70a45ee95374d02769d16
SHA256 c049902276db963bab6c40e39cc25de38fa27df673141f7ce09aed96819302de
SHA512 c46ee1a8bb5dc8ce5effda095ef1a552db41dfcd3db74a7172090185a3fed4efd56e56a86528e5c8d7348cdbee354157789046e2d95c1116b4a419d2f605283f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe

MD5 87901109709e8efa126e9f4ca0062d0a
SHA1 8edbec87ab9fabb79dedb0dcc66a747ab69b012b
SHA256 6cdaae51c3f6696b4ff4d314eb179d431bca2b43c246e8b2025c352587692a9e
SHA512 020dc1ef68b7a14801d2543c523f495ec59c1f47d4270e936a0fc25f4d3b5f68eb36e881a201d5bc104d7487b6ff70a4de360802ecc5f62c3fa79eb39071a1f6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe

MD5 87901109709e8efa126e9f4ca0062d0a
SHA1 8edbec87ab9fabb79dedb0dcc66a747ab69b012b
SHA256 6cdaae51c3f6696b4ff4d314eb179d431bca2b43c246e8b2025c352587692a9e
SHA512 020dc1ef68b7a14801d2543c523f495ec59c1f47d4270e936a0fc25f4d3b5f68eb36e881a201d5bc104d7487b6ff70a4de360802ecc5f62c3fa79eb39071a1f6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe

MD5 720aabd1fb39b9fcb66b5ee201a79400
SHA1 d72624c326430b5b38057552baed22114e60a071
SHA256 fb70eb16da108ca0a17e80782e04593f6931b607a6e986bc6fa8b591f5e22118
SHA512 7b5f39f5547bfe559384e693761fe7c5f078a99d6af5206568ce8ee568b5565424e8f8a8767aff3b71f920e4a4a2dc96cf4eb9af5766a47abfa10cfa3d9fe454

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe

MD5 720aabd1fb39b9fcb66b5ee201a79400
SHA1 d72624c326430b5b38057552baed22114e60a071
SHA256 fb70eb16da108ca0a17e80782e04593f6931b607a6e986bc6fa8b591f5e22118
SHA512 7b5f39f5547bfe559384e693761fe7c5f078a99d6af5206568ce8ee568b5565424e8f8a8767aff3b71f920e4a4a2dc96cf4eb9af5766a47abfa10cfa3d9fe454

memory/3912-24-0x0000000000540000-0x0000000000570000-memory.dmp

memory/3912-25-0x0000000072BA0000-0x000000007328E000-memory.dmp

memory/3912-26-0x0000000004D00000-0x0000000004D06000-memory.dmp

memory/3912-27-0x00000000054D0000-0x0000000005AD6000-memory.dmp

memory/3912-28-0x0000000004FD0000-0x00000000050DA000-memory.dmp

memory/3912-29-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/3912-30-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

memory/3912-31-0x0000000004F00000-0x0000000004F4B000-memory.dmp

memory/3912-32-0x0000000072BA0000-0x000000007328E000-memory.dmp