Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-swv3zsab3v
Target 1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd
SHA256 1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd

Threat Level: Known bad

The file 1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:29

Reported

2023-09-10 15:31

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 556 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe
PID 556 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe
PID 556 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe
PID 4784 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe
PID 4784 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe
PID 4784 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe
PID 3724 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe
PID 3724 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe
PID 3724 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe
PID 3724 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe
PID 3724 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe
PID 3724 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd.exe

"C:\Users\Admin\AppData\Local\Temp\1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe

MD5 58dd6d4cebba939fa28635e1f699280f
SHA1 71fbd01e3b3a6131ac4ed25fa642a2da4f766b1b
SHA256 1af7e0c908053a325bcb5487f2fec6e34a9d7864555249878b1d764937f531da
SHA512 0f1d7e6fc0d9e9b0ceadfef5544f8ce2da75a162d043d82a3c573943ff35c72bbeca0a271ba695d149702fbb2101eef6d7c21f72a34d4a8d741a1a64f187c46c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe

MD5 58dd6d4cebba939fa28635e1f699280f
SHA1 71fbd01e3b3a6131ac4ed25fa642a2da4f766b1b
SHA256 1af7e0c908053a325bcb5487f2fec6e34a9d7864555249878b1d764937f531da
SHA512 0f1d7e6fc0d9e9b0ceadfef5544f8ce2da75a162d043d82a3c573943ff35c72bbeca0a271ba695d149702fbb2101eef6d7c21f72a34d4a8d741a1a64f187c46c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe

MD5 611821bc964e6c73fa268f44628fbe3a
SHA1 11425404d2226fe96802886e6b4535b44585a834
SHA256 b4b370cd61c2d629986e4c4bb67aea938c15a99a4e3c5181e13ce4b6c65341b0
SHA512 1bc0cad4ce2151e8896303e0fcef4b8d8802080dee68501bd918f12cad227e1df248c6ae9b756a5f9734ed2a9a42cc97f34e12082e18c64383732ef27508b496

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe

MD5 611821bc964e6c73fa268f44628fbe3a
SHA1 11425404d2226fe96802886e6b4535b44585a834
SHA256 b4b370cd61c2d629986e4c4bb67aea938c15a99a4e3c5181e13ce4b6c65341b0
SHA512 1bc0cad4ce2151e8896303e0fcef4b8d8802080dee68501bd918f12cad227e1df248c6ae9b756a5f9734ed2a9a42cc97f34e12082e18c64383732ef27508b496

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe

MD5 b2c27d2ca3e20e545edd433115a5f7ce
SHA1 572d93cb954dd9aefc88c8373b5e39f0957fa9e5
SHA256 e2ffb00d67ed59d6e6699c18bcb7ed7f8d424ff66b0187fba6a651694e4e9e03
SHA512 29250da3fde48068929daf31015747c3bc2e207a6045938147986d131bee4ac1482e20cb1b7262bbb9aa8a86330d716b83843bbe091f6d167498333337287089

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe

MD5 b2c27d2ca3e20e545edd433115a5f7ce
SHA1 572d93cb954dd9aefc88c8373b5e39f0957fa9e5
SHA256 e2ffb00d67ed59d6e6699c18bcb7ed7f8d424ff66b0187fba6a651694e4e9e03
SHA512 29250da3fde48068929daf31015747c3bc2e207a6045938147986d131bee4ac1482e20cb1b7262bbb9aa8a86330d716b83843bbe091f6d167498333337287089

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe

MD5 3d9d6999a96723d8833fdb5a08b0010e
SHA1 7224c35b12f672fecbbdd009a9dd77473899b4a6
SHA256 5361a86c966f45c813a9265cfec20109c5d039b4f928f9073eb137ff1ded2ae9
SHA512 dcbc0880d3059481461af0a1594ebd99955d01d5f21d8a3ca7698a3e4a0c48bc5d89cf97ea6cb7588ef7ebeeab4bd1d91d8b6597dd52820843afdc93b3b059b0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe

MD5 3d9d6999a96723d8833fdb5a08b0010e
SHA1 7224c35b12f672fecbbdd009a9dd77473899b4a6
SHA256 5361a86c966f45c813a9265cfec20109c5d039b4f928f9073eb137ff1ded2ae9
SHA512 dcbc0880d3059481461af0a1594ebd99955d01d5f21d8a3ca7698a3e4a0c48bc5d89cf97ea6cb7588ef7ebeeab4bd1d91d8b6597dd52820843afdc93b3b059b0

memory/3824-24-0x0000000000610000-0x0000000000640000-memory.dmp

memory/3824-25-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3824-26-0x0000000005660000-0x0000000005C78000-memory.dmp

memory/3824-27-0x00000000051A0000-0x00000000052AA000-memory.dmp

memory/3824-28-0x0000000002870000-0x0000000002880000-memory.dmp

memory/3824-29-0x00000000050E0000-0x00000000050F2000-memory.dmp

memory/3824-30-0x0000000005140000-0x000000000517C000-memory.dmp

memory/3824-31-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3824-32-0x0000000002870000-0x0000000002880000-memory.dmp