Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-sfk8vaaa31
Target 771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27
SHA256 771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27

Threat Level: Known bad

The file 771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:04

Reported

2023-09-10 15:06

Platform

win10v2004-20230831-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe
PID 3240 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe
PID 3240 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe
PID 3140 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe
PID 3140 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe
PID 3140 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe
PID 4960 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe
PID 4960 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe
PID 4960 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe
PID 4960 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe
PID 4960 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe
PID 4960 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe

Processes

C:\Users\Admin\AppData\Local\Temp\771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27.exe

"C:\Users\Admin\AppData\Local\Temp\771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe

MD5 32600de07f2504440d1310f0c5c3fa7a
SHA1 20874a7b167233bea0fcc1ea9a863a38d68330fc
SHA256 c95967ad6d1bb116b170863a9173b62181ce3839dbf1c224a38968901bf955e1
SHA512 691c21b5e8e4c1d17cfe904a760c4dc64bb34193337220e131b5eb53d639993c4e3d6437e71ac83c32a0852585bbf7fc3f791988859908ae20ec5fc8c0c24487

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe

MD5 32600de07f2504440d1310f0c5c3fa7a
SHA1 20874a7b167233bea0fcc1ea9a863a38d68330fc
SHA256 c95967ad6d1bb116b170863a9173b62181ce3839dbf1c224a38968901bf955e1
SHA512 691c21b5e8e4c1d17cfe904a760c4dc64bb34193337220e131b5eb53d639993c4e3d6437e71ac83c32a0852585bbf7fc3f791988859908ae20ec5fc8c0c24487

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe

MD5 9bad345f18c72518f6e3a808b6e39a25
SHA1 24b013df48caf7d0b03cc815667c998ebe79211c
SHA256 74c39d6cc8b40d5922f7119412bd189ea235c5ea265b81f41000fb76c71abcb5
SHA512 1aa8d1a3e922982d0c025de19ee9a2c619061e61e9c18ebbd95118d57c6195f0e6cb5a88e2da03399d1deb8aaf813b4575c6836dbf5f075a37111520ce53910b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe

MD5 9bad345f18c72518f6e3a808b6e39a25
SHA1 24b013df48caf7d0b03cc815667c998ebe79211c
SHA256 74c39d6cc8b40d5922f7119412bd189ea235c5ea265b81f41000fb76c71abcb5
SHA512 1aa8d1a3e922982d0c025de19ee9a2c619061e61e9c18ebbd95118d57c6195f0e6cb5a88e2da03399d1deb8aaf813b4575c6836dbf5f075a37111520ce53910b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe

MD5 d2857face751c320f70d6a2b750ed947
SHA1 52d7f4b032df2504e902f72cc718a61bd9367536
SHA256 4b13c4094f26f18d50ad0034fde81417e670e1920d33ba9e7ccdfe1600389ab8
SHA512 c5f51f97069fccf3a74c7934c8d327eb5842230b6e443c030133a026dae8821da1039c7f121c13512319cec1dcb85d6f992e3bed0ee7e23ca619310649e0b412

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe

MD5 d2857face751c320f70d6a2b750ed947
SHA1 52d7f4b032df2504e902f72cc718a61bd9367536
SHA256 4b13c4094f26f18d50ad0034fde81417e670e1920d33ba9e7ccdfe1600389ab8
SHA512 c5f51f97069fccf3a74c7934c8d327eb5842230b6e443c030133a026dae8821da1039c7f121c13512319cec1dcb85d6f992e3bed0ee7e23ca619310649e0b412

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe

MD5 a66a68739466c1a9e848dc9baf126229
SHA1 ef74fa9ac2da0bbab2abf3a8ac138bd9ef7a1957
SHA256 5f1d520b45d7245c1a7e48bc6c234280b893f25d4b06d9e87e6fbbfca20ad585
SHA512 b951cff954ae18b57336ed31070b6b2cc1d3bf0601026f837fe80a869cbb06bfe4b630bba7069814b8393980afdca2a5eff0c769b485d7406666bb7430342164

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe

MD5 a66a68739466c1a9e848dc9baf126229
SHA1 ef74fa9ac2da0bbab2abf3a8ac138bd9ef7a1957
SHA256 5f1d520b45d7245c1a7e48bc6c234280b893f25d4b06d9e87e6fbbfca20ad585
SHA512 b951cff954ae18b57336ed31070b6b2cc1d3bf0601026f837fe80a869cbb06bfe4b630bba7069814b8393980afdca2a5eff0c769b485d7406666bb7430342164

memory/2432-24-0x00000000004D0000-0x0000000000500000-memory.dmp

memory/2432-25-0x00000000743F0000-0x0000000074BA0000-memory.dmp

memory/2432-26-0x0000000005570000-0x0000000005B88000-memory.dmp

memory/2432-27-0x0000000005060000-0x000000000516A000-memory.dmp

memory/2432-29-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/2432-28-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

memory/2432-30-0x0000000005000000-0x000000000503C000-memory.dmp

memory/2432-31-0x00000000743F0000-0x0000000074BA0000-memory.dmp

memory/2432-32-0x0000000004E40000-0x0000000004E50000-memory.dmp