Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-sp2xysaa75
Target 273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02
SHA256 273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02

Threat Level: Known bad

The file 273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:18

Reported

2023-09-10 15:21

Platform

win10-20230831-en

Max time kernel

134s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe
PID 1376 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe
PID 1376 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe
PID 676 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe
PID 676 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe
PID 676 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe
PID 4212 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe
PID 4212 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe
PID 4212 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe
PID 4212 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe
PID 4212 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe
PID 4212 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe

Processes

C:\Users\Admin\AppData\Local\Temp\273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02.exe

"C:\Users\Admin\AppData\Local\Temp\273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 254.117.26.67.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe

MD5 55a060a4c04d4db1ebefd6068a170926
SHA1 c4220c82d2078d540a7dd95199f69f3dd302006a
SHA256 58d49e7b2b0b044161f7a0a268893f470047807e52e42e9484d1c0a3b9cbb787
SHA512 24545693f291a7b0e3501cc84d31f009fa0744eebddbf00bd2d1a14ed9f98dac5ee77ccc88b1c3f581d39ff2a55f0e48c23ec980b2bdf425250d0204b79bd174

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe

MD5 55a060a4c04d4db1ebefd6068a170926
SHA1 c4220c82d2078d540a7dd95199f69f3dd302006a
SHA256 58d49e7b2b0b044161f7a0a268893f470047807e52e42e9484d1c0a3b9cbb787
SHA512 24545693f291a7b0e3501cc84d31f009fa0744eebddbf00bd2d1a14ed9f98dac5ee77ccc88b1c3f581d39ff2a55f0e48c23ec980b2bdf425250d0204b79bd174

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe

MD5 c1bd68dacd2978d54e9d449b201b65ad
SHA1 ef33cc8e7062e97a81df1194842fce08c70131d6
SHA256 bdbdbeb97a375188f7b3e42027f71d06dcf46d31365e90f31fd13cf61f5aced6
SHA512 49aed568f2b4f4c24a915200a9e072b63d115fb9406baf3da4bc350402939c86fff9b231b6d9a0d421dcf8268d690221ae3f82ac645b61baeda6cb90aff3fdc1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe

MD5 c1bd68dacd2978d54e9d449b201b65ad
SHA1 ef33cc8e7062e97a81df1194842fce08c70131d6
SHA256 bdbdbeb97a375188f7b3e42027f71d06dcf46d31365e90f31fd13cf61f5aced6
SHA512 49aed568f2b4f4c24a915200a9e072b63d115fb9406baf3da4bc350402939c86fff9b231b6d9a0d421dcf8268d690221ae3f82ac645b61baeda6cb90aff3fdc1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe

MD5 a099282cad55a4afeb242aa2082dbf21
SHA1 9b27a76f113a9b5f188de25be67214d6e5692285
SHA256 6fcb4c56a948884fdabe46bed179a691d226e8fba533e046fc121bf77c373e9a
SHA512 462d2d216904729a6ca1a6fda598199b051634eec1faebe11704b95ddc4dd8806ce12be3703d7dc0dbbf4327ddbb53e93cc68ce7dc40cec78adf2cfba282fd2f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe

MD5 a099282cad55a4afeb242aa2082dbf21
SHA1 9b27a76f113a9b5f188de25be67214d6e5692285
SHA256 6fcb4c56a948884fdabe46bed179a691d226e8fba533e046fc121bf77c373e9a
SHA512 462d2d216904729a6ca1a6fda598199b051634eec1faebe11704b95ddc4dd8806ce12be3703d7dc0dbbf4327ddbb53e93cc68ce7dc40cec78adf2cfba282fd2f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe

MD5 9dad6498f68a5f897d236061a2ac0416
SHA1 d19e2401650452c22653b4338cb38be2fb17ae64
SHA256 fb2882ba468928c4c009ffec0349cc7ae4eb281de5f7152f2dd4f0863f1261e4
SHA512 7a0e0412ed815d545e933658e0a20ccb6520b7b1b7956cc9aa4a9351253dbb0bb9ec48e146a23b845cffeb7e99907d0e4a1c7e77dd4672c0bb95502803e257a4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe

MD5 9dad6498f68a5f897d236061a2ac0416
SHA1 d19e2401650452c22653b4338cb38be2fb17ae64
SHA256 fb2882ba468928c4c009ffec0349cc7ae4eb281de5f7152f2dd4f0863f1261e4
SHA512 7a0e0412ed815d545e933658e0a20ccb6520b7b1b7956cc9aa4a9351253dbb0bb9ec48e146a23b845cffeb7e99907d0e4a1c7e77dd4672c0bb95502803e257a4

memory/3584-24-0x0000000000E50000-0x0000000000E80000-memory.dmp

memory/3584-25-0x0000000072BA0000-0x000000007328E000-memory.dmp

memory/3584-26-0x0000000002FD0000-0x0000000002FD6000-memory.dmp

memory/3584-27-0x000000000B210000-0x000000000B816000-memory.dmp

memory/3584-28-0x000000000ADA0000-0x000000000AEAA000-memory.dmp

memory/3584-29-0x000000000ACD0000-0x000000000ACE2000-memory.dmp

memory/3584-30-0x000000000AD30000-0x000000000AD6E000-memory.dmp

memory/3584-31-0x000000000AEB0000-0x000000000AEFB000-memory.dmp

memory/3584-32-0x0000000072BA0000-0x000000007328E000-memory.dmp