Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-sjfgrsaa29
Target 4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e
SHA256 4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e

Threat Level: Known bad

The file 4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:09

Reported

2023-09-10 15:11

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe
PID 4428 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe
PID 4428 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe
PID 544 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe
PID 544 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe
PID 544 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe
PID 3172 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe
PID 3172 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe
PID 3172 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe
PID 3172 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe
PID 3172 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe
PID 3172 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e.exe

"C:\Users\Admin\AppData\Local\Temp\4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe

MD5 016b0776eefa9005dae8ca2d14a73e63
SHA1 e0fbf85e98ebdab0a7a9fb93320c851d108377c7
SHA256 625a4ba90e6475c80b466f40149fa43c48d304eb99c3f78dc64f77bb065b11b8
SHA512 c678b9c2c13e030444faa0b282f7ed2693ad4f010161c9b1a748fae191d879dd1a2010473be8e3e0d7294061d339321798f12e6a96049231ec15c429c9335c2f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe

MD5 016b0776eefa9005dae8ca2d14a73e63
SHA1 e0fbf85e98ebdab0a7a9fb93320c851d108377c7
SHA256 625a4ba90e6475c80b466f40149fa43c48d304eb99c3f78dc64f77bb065b11b8
SHA512 c678b9c2c13e030444faa0b282f7ed2693ad4f010161c9b1a748fae191d879dd1a2010473be8e3e0d7294061d339321798f12e6a96049231ec15c429c9335c2f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe

MD5 a9b8c48c74b9112a780f6e40cd38c596
SHA1 9fddb3b41d3a1c1474a2e1812af038c1aaa46b25
SHA256 2d28e68b4251e8b2d887f1a4877b8ad77bbfc6fafca67fd4ade8408466f727bd
SHA512 946867de4d5ea040f239de9225379981e1a6724538aecda655e9ca1646ae21835c9bb4c07c93886c84534f78b9f3ac6a49b029e5741861618145bc422634533d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe

MD5 a9b8c48c74b9112a780f6e40cd38c596
SHA1 9fddb3b41d3a1c1474a2e1812af038c1aaa46b25
SHA256 2d28e68b4251e8b2d887f1a4877b8ad77bbfc6fafca67fd4ade8408466f727bd
SHA512 946867de4d5ea040f239de9225379981e1a6724538aecda655e9ca1646ae21835c9bb4c07c93886c84534f78b9f3ac6a49b029e5741861618145bc422634533d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe

MD5 671d2ab229f16ba63536914c6540b851
SHA1 82f4bcd0d71db3c22f974afc5805b797f7786d4f
SHA256 e3c10b81610a573d66a3e7eb8a7b15d30252beb093217f2f246101394b02e144
SHA512 faddff6722bde3fd4afca475a29c69ba165b75ec68464351df694e4d3d319ac20cdd515e1ffc3a95e61b9f705960c50a164e29427215989246824aa1fe606e72

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe

MD5 671d2ab229f16ba63536914c6540b851
SHA1 82f4bcd0d71db3c22f974afc5805b797f7786d4f
SHA256 e3c10b81610a573d66a3e7eb8a7b15d30252beb093217f2f246101394b02e144
SHA512 faddff6722bde3fd4afca475a29c69ba165b75ec68464351df694e4d3d319ac20cdd515e1ffc3a95e61b9f705960c50a164e29427215989246824aa1fe606e72

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe

MD5 c8d58048ea4cba31315279d7c9a15634
SHA1 4451ca8eed6bf5b87bf5936676adad18feb902ca
SHA256 9c05f9cb5c6511450a0080e6df105f47f3e5a9baf9adbdc13b635a57c29dcb0d
SHA512 038c3a59be0fdc3b0f05a5adf1fde0ff59a430a5bbbb5e6c99eb71710040b28239dad085687ff58003be7c17e9d924424a3d3e092e37e592f586423687b66911

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe

MD5 c8d58048ea4cba31315279d7c9a15634
SHA1 4451ca8eed6bf5b87bf5936676adad18feb902ca
SHA256 9c05f9cb5c6511450a0080e6df105f47f3e5a9baf9adbdc13b635a57c29dcb0d
SHA512 038c3a59be0fdc3b0f05a5adf1fde0ff59a430a5bbbb5e6c99eb71710040b28239dad085687ff58003be7c17e9d924424a3d3e092e37e592f586423687b66911

memory/892-24-0x0000000000B90000-0x0000000000BC0000-memory.dmp

memory/892-25-0x0000000073C70000-0x0000000074420000-memory.dmp

memory/892-26-0x0000000005C70000-0x0000000006288000-memory.dmp

memory/892-27-0x0000000005760000-0x000000000586A000-memory.dmp

memory/892-29-0x0000000005500000-0x0000000005510000-memory.dmp

memory/892-28-0x0000000005670000-0x0000000005682000-memory.dmp

memory/892-30-0x00000000056D0000-0x000000000570C000-memory.dmp

memory/892-31-0x0000000073C70000-0x0000000074420000-memory.dmp

memory/892-32-0x0000000005500000-0x0000000005510000-memory.dmp