Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-scnvkahh64
Target cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042
SHA256 cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042

Threat Level: Known bad

The file cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:58

Reported

2023-09-10 15:01

Platform

win10-20230831-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe
PID 2388 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe
PID 2388 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe
PID 4428 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe
PID 4428 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe
PID 4428 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe
PID 4104 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe
PID 4104 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe
PID 4104 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe
PID 4104 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe
PID 4104 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe
PID 4104 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042.exe

"C:\Users\Admin\AppData\Local\Temp\cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe

MD5 12fa3eb97370c9787af3286ae298a744
SHA1 474ac6226e6259a99c81e815f6b8440a87a38084
SHA256 627f08929168229417d11ec060145379326d2627945d60874bb346c9d336fbe5
SHA512 269de9c03a46a50c69741c4416b7343f00328cd05ab766eaef22911da30e758e3bc346b7378faf235a0072eb80bf89a888c534820fcc79d2d331cb5737a94de9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe

MD5 12fa3eb97370c9787af3286ae298a744
SHA1 474ac6226e6259a99c81e815f6b8440a87a38084
SHA256 627f08929168229417d11ec060145379326d2627945d60874bb346c9d336fbe5
SHA512 269de9c03a46a50c69741c4416b7343f00328cd05ab766eaef22911da30e758e3bc346b7378faf235a0072eb80bf89a888c534820fcc79d2d331cb5737a94de9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe

MD5 05253cdbc82346bc67becfe01f35d0ce
SHA1 74989b15ca68f0595c638c72fafcad43ea75f364
SHA256 2cddc8907e464d2e6bc0eea6e9557aca3c9d213349e534d893a1866cbb3cd3a6
SHA512 1b8c313777d74e0c7b36b4dc9ef7b85e820e6c3fb48c917acc0c9bfa6e50952626e453a4b2e19cbb75e25a72c8d923ae4fca70781d2b68902f9dcb1dd733d69e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe

MD5 05253cdbc82346bc67becfe01f35d0ce
SHA1 74989b15ca68f0595c638c72fafcad43ea75f364
SHA256 2cddc8907e464d2e6bc0eea6e9557aca3c9d213349e534d893a1866cbb3cd3a6
SHA512 1b8c313777d74e0c7b36b4dc9ef7b85e820e6c3fb48c917acc0c9bfa6e50952626e453a4b2e19cbb75e25a72c8d923ae4fca70781d2b68902f9dcb1dd733d69e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe

MD5 c144a8e1fe4e8f834ac2a4226c2c14b8
SHA1 e4ff06d8676201cdfe1eb9db340c1808b2a26dd0
SHA256 611a1e139dd2a2fc257f36fd6c2a0dfa6a361e8644b7d4a78f8eb9cac00bce3a
SHA512 4d6b8cf449c40223bee790973126c588211cab4810abc16a81071e6b8b1b623fc7f6ab51e5ce73e9701d423e906338324b4d32953d74c9022ce0eda727dc07cf

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe

MD5 c144a8e1fe4e8f834ac2a4226c2c14b8
SHA1 e4ff06d8676201cdfe1eb9db340c1808b2a26dd0
SHA256 611a1e139dd2a2fc257f36fd6c2a0dfa6a361e8644b7d4a78f8eb9cac00bce3a
SHA512 4d6b8cf449c40223bee790973126c588211cab4810abc16a81071e6b8b1b623fc7f6ab51e5ce73e9701d423e906338324b4d32953d74c9022ce0eda727dc07cf

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe

MD5 0b02b8935cbcf99f75bdaaa865968d3f
SHA1 a1dfa80727084e741464a1c0e9f624d88ecd37a6
SHA256 d73fd9ba820bc170129db963e67008022514031656eaa37d863f90265373e658
SHA512 049cad85f1119ee19ca989fd1ebab7ca50dbb8536670834ec6b07b55f1a6d60bea244f3e4e56aaa27e00f265b957004642c703b026f098782b549101f145f36f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe

MD5 0b02b8935cbcf99f75bdaaa865968d3f
SHA1 a1dfa80727084e741464a1c0e9f624d88ecd37a6
SHA256 d73fd9ba820bc170129db963e67008022514031656eaa37d863f90265373e658
SHA512 049cad85f1119ee19ca989fd1ebab7ca50dbb8536670834ec6b07b55f1a6d60bea244f3e4e56aaa27e00f265b957004642c703b026f098782b549101f145f36f

memory/960-24-0x0000000000310000-0x0000000000340000-memory.dmp

memory/960-25-0x0000000072F60000-0x000000007364E000-memory.dmp

memory/960-26-0x0000000002500000-0x0000000002506000-memory.dmp

memory/960-27-0x000000000A620000-0x000000000AC26000-memory.dmp

memory/960-28-0x000000000A120000-0x000000000A22A000-memory.dmp

memory/960-29-0x000000000A050000-0x000000000A062000-memory.dmp

memory/960-30-0x000000000A0B0000-0x000000000A0EE000-memory.dmp

memory/960-31-0x000000000A230000-0x000000000A27B000-memory.dmp

memory/960-32-0x0000000072F60000-0x000000007364E000-memory.dmp