Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-smcv2saa46
Target e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b
SHA256 e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b

Threat Level: Known bad

The file e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:14

Reported

2023-09-10 15:16

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe
PID 2352 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe
PID 2352 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe
PID 4552 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe
PID 4552 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe
PID 4552 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe
PID 2440 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe
PID 2440 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe
PID 2440 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe
PID 2440 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe
PID 2440 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe
PID 2440 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b.exe

"C:\Users\Admin\AppData\Local\Temp\e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe

MD5 fbd1cfc4685fe07d0950774d8e8d93c7
SHA1 ee3a3933b46d5b4be30f5da4dfa3a6e4ce667afe
SHA256 39dd0a403726abfae032cffef6310f40c265d91e553654fd1f58883d283c334b
SHA512 a144ac3b854e23e58388595c7fdf68d1fac0197f7799252f8c56480207c26ff275f44d7d609d93088107c54b42a06995a6551f405b5477ddc24de81c6f46adcf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe

MD5 fbd1cfc4685fe07d0950774d8e8d93c7
SHA1 ee3a3933b46d5b4be30f5da4dfa3a6e4ce667afe
SHA256 39dd0a403726abfae032cffef6310f40c265d91e553654fd1f58883d283c334b
SHA512 a144ac3b854e23e58388595c7fdf68d1fac0197f7799252f8c56480207c26ff275f44d7d609d93088107c54b42a06995a6551f405b5477ddc24de81c6f46adcf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe

MD5 78e8062cabf7e3b6ab4821b19264cae5
SHA1 f36b6a533a156e246e5361984a61813d3fef9a41
SHA256 45a8b15e5cf12f1c0346e173918b0b711f4aabdadf9807192c2e416d6098010e
SHA512 5b24dd6f377a00feca8d46c7a5de03d47173b1b4bae8808d23f2ad664abf72beec1c98653c051c44e51c38fdfa218cc86dec134bb63cbe8f416df05fd9bc75f9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe

MD5 78e8062cabf7e3b6ab4821b19264cae5
SHA1 f36b6a533a156e246e5361984a61813d3fef9a41
SHA256 45a8b15e5cf12f1c0346e173918b0b711f4aabdadf9807192c2e416d6098010e
SHA512 5b24dd6f377a00feca8d46c7a5de03d47173b1b4bae8808d23f2ad664abf72beec1c98653c051c44e51c38fdfa218cc86dec134bb63cbe8f416df05fd9bc75f9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe

MD5 9311b141ed218840880d9772e4e37c7b
SHA1 ad378c0ea6ca088d036af763cd9c0780c4c98af7
SHA256 810732f89464935bb8a0052a82ff8ddeaec8493b60eff6df96c186393be88a70
SHA512 985e232643927ca9bfb926c94751cb6852b89a0344f6f03921994b65344cea9b4f30bd724b7126f57ebb87e3bc3c16ce4058e39726065536725c76033bfbe9fb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe

MD5 9311b141ed218840880d9772e4e37c7b
SHA1 ad378c0ea6ca088d036af763cd9c0780c4c98af7
SHA256 810732f89464935bb8a0052a82ff8ddeaec8493b60eff6df96c186393be88a70
SHA512 985e232643927ca9bfb926c94751cb6852b89a0344f6f03921994b65344cea9b4f30bd724b7126f57ebb87e3bc3c16ce4058e39726065536725c76033bfbe9fb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe

MD5 cf914e72a10a794d9e7f46926cb51dde
SHA1 99ab0c103f434cd8d4f7251328b01849d1e94d54
SHA256 8a68ed2952dd5bd032f7c7eb077524a96fc0f2ae1fded8b9e7afff1aaf1a606c
SHA512 30224e7601cc43e98ba97da9827db5f41b2c5b1bea3d5a9ae8e712e3ceb7aa5eac699b70654d897e6a2918c0bf295aa6e566e536ad061d590f265a4172aa061c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe

MD5 cf914e72a10a794d9e7f46926cb51dde
SHA1 99ab0c103f434cd8d4f7251328b01849d1e94d54
SHA256 8a68ed2952dd5bd032f7c7eb077524a96fc0f2ae1fded8b9e7afff1aaf1a606c
SHA512 30224e7601cc43e98ba97da9827db5f41b2c5b1bea3d5a9ae8e712e3ceb7aa5eac699b70654d897e6a2918c0bf295aa6e566e536ad061d590f265a4172aa061c

memory/232-24-0x00000000007A0000-0x00000000007D0000-memory.dmp

memory/232-25-0x0000000073C10000-0x00000000743C0000-memory.dmp

memory/232-26-0x0000000005850000-0x0000000005E68000-memory.dmp

memory/232-27-0x0000000005340000-0x000000000544A000-memory.dmp

memory/232-29-0x0000000005120000-0x0000000005130000-memory.dmp

memory/232-28-0x0000000005270000-0x0000000005282000-memory.dmp

memory/232-30-0x00000000052D0000-0x000000000530C000-memory.dmp

memory/232-31-0x0000000073C10000-0x00000000743C0000-memory.dmp

memory/232-32-0x0000000005120000-0x0000000005130000-memory.dmp