Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-ssz8jaaa95
Target 159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75
SHA256 159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75

Threat Level: Known bad

The file 159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:24

Reported

2023-09-10 15:26

Platform

win10v2004-20230831-en

Max time kernel

135s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 456 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe
PID 456 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe
PID 456 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe
PID 4448 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe
PID 4448 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe
PID 4448 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe
PID 4448 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe
PID 4448 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe
PID 4448 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe

Processes

C:\Users\Admin\AppData\Local\Temp\159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75.exe

"C:\Users\Admin\AppData\Local\Temp\159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe

MD5 3f42b683b80107ce3ba8709a8e664aba
SHA1 f1144d044fd9165910f5e8085b2741cef9a8c284
SHA256 f97a8d525e703530ede90a5843cf5f7ade8fd3e0818ed3680462f15501adb04c
SHA512 d976d5f89302d3465eeef94ffbcebcd549c4745a03ac5e311321835f8b5b613fac51584014c192985592af7b617f67e4a8a04244c696e3162bc63fe8631f9bdd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe

MD5 3f42b683b80107ce3ba8709a8e664aba
SHA1 f1144d044fd9165910f5e8085b2741cef9a8c284
SHA256 f97a8d525e703530ede90a5843cf5f7ade8fd3e0818ed3680462f15501adb04c
SHA512 d976d5f89302d3465eeef94ffbcebcd549c4745a03ac5e311321835f8b5b613fac51584014c192985592af7b617f67e4a8a04244c696e3162bc63fe8631f9bdd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe

MD5 869b97d83656356f181bd6e87f9a70b5
SHA1 49b436b705f13b856bcf44daa8a418172c177325
SHA256 679d4a08919ed34fd7c46638c83773e18b612febf1ce64995fd2f0b776151c88
SHA512 42ac5e0d15e8da0e6ce88666263d8c262048a3e568d8ded631d23a4c794afc0de414f37ae08d23859cc7fa2e3f85c0562e7f46ad60f3018a1ae0cde33c63b539

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe

MD5 869b97d83656356f181bd6e87f9a70b5
SHA1 49b436b705f13b856bcf44daa8a418172c177325
SHA256 679d4a08919ed34fd7c46638c83773e18b612febf1ce64995fd2f0b776151c88
SHA512 42ac5e0d15e8da0e6ce88666263d8c262048a3e568d8ded631d23a4c794afc0de414f37ae08d23859cc7fa2e3f85c0562e7f46ad60f3018a1ae0cde33c63b539

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe

MD5 6e417d28cebe711d65980eeef8979064
SHA1 1b3f112f074960065793d9658f047d9e444473b6
SHA256 e54e0adc03c9b6d982eecd2bae4024010c9ba1c0826302dc8cd7f8de6a947f44
SHA512 b7f8acac01cb4f8d26d2ec347593ad5c844516e268cefcb2d1918ad08e6cac550350f446f20c121acd49bc357669398d504af7f44fb063426427ae0daf9deaa2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe

MD5 6e417d28cebe711d65980eeef8979064
SHA1 1b3f112f074960065793d9658f047d9e444473b6
SHA256 e54e0adc03c9b6d982eecd2bae4024010c9ba1c0826302dc8cd7f8de6a947f44
SHA512 b7f8acac01cb4f8d26d2ec347593ad5c844516e268cefcb2d1918ad08e6cac550350f446f20c121acd49bc357669398d504af7f44fb063426427ae0daf9deaa2

memory/1784-17-0x0000000000C20000-0x0000000000C50000-memory.dmp

memory/1784-18-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/1784-19-0x0000000005B90000-0x00000000061A8000-memory.dmp

memory/1784-20-0x0000000005680000-0x000000000578A000-memory.dmp

memory/1784-21-0x0000000005420000-0x0000000005430000-memory.dmp

memory/1784-22-0x00000000055B0000-0x00000000055C2000-memory.dmp

memory/1784-23-0x0000000005610000-0x000000000564C000-memory.dmp

memory/1784-24-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/1784-25-0x0000000005420000-0x0000000005430000-memory.dmp