Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-szsr2aab43
Target 3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345
SHA256 3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345

Threat Level: Known bad

The file 3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:34

Reported

2023-09-10 15:36

Platform

win10-20230831-en

Max time kernel

133s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe
PID 4780 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe
PID 4780 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe
PID 1920 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe
PID 1920 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe
PID 1920 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe
PID 3896 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe
PID 3896 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe
PID 3896 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe
PID 3896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe
PID 3896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe
PID 3896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345.exe

"C:\Users\Admin\AppData\Local\Temp\3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe

MD5 38b3f26aa1a688ca7edf542aa6316413
SHA1 7d324b5cea58e7927f1647cf79e7c7fa58fb0e4f
SHA256 bb1c730e2e1bb646028bb473f4e551dc39e6d2c13a804f5f712862512d7b91c2
SHA512 efe4c9b14cdb27831e1ff67bfdcf8671f6b25de9319998b5ec001d9965e3ff9db87c17b747ae833ce12dad114bf2aa0275a058b599fcb151a325c02e55e481a7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe

MD5 38b3f26aa1a688ca7edf542aa6316413
SHA1 7d324b5cea58e7927f1647cf79e7c7fa58fb0e4f
SHA256 bb1c730e2e1bb646028bb473f4e551dc39e6d2c13a804f5f712862512d7b91c2
SHA512 efe4c9b14cdb27831e1ff67bfdcf8671f6b25de9319998b5ec001d9965e3ff9db87c17b747ae833ce12dad114bf2aa0275a058b599fcb151a325c02e55e481a7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe

MD5 2c25c24b7e855d7484c633543048cd73
SHA1 68e349948840f25612fdc3c64e8033c5b9f71ba5
SHA256 c1e8ce06a1e3446d239836e3e117de260278ea8b027b082f764f120418aafc40
SHA512 e685e6926613edb6c7ded3dffd3b05b1d75c96bbec83e8d8e5b2a3aa7a72354657e5a4101cc21c9a3ea0694636b6dbc38802b7e717208f31ded1a55c574848c4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe

MD5 2c25c24b7e855d7484c633543048cd73
SHA1 68e349948840f25612fdc3c64e8033c5b9f71ba5
SHA256 c1e8ce06a1e3446d239836e3e117de260278ea8b027b082f764f120418aafc40
SHA512 e685e6926613edb6c7ded3dffd3b05b1d75c96bbec83e8d8e5b2a3aa7a72354657e5a4101cc21c9a3ea0694636b6dbc38802b7e717208f31ded1a55c574848c4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe

MD5 2f61b2219e6f4b67b4db987bf5ebaf2a
SHA1 48e24372a0e3fc2a9332d0661896fb98ec4cd396
SHA256 ae1cef89f945337a3091940f92b431e517573cfa0a6e29b95151359aacee2ee0
SHA512 3f24f722511f29db3da7c6b19723099244e9b3d0d10f15c23074153aba144dd9c73458a7d4378bc9129a53c2729fcbd20c8cfe0829bdd82e0d4398012c399002

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe

MD5 2f61b2219e6f4b67b4db987bf5ebaf2a
SHA1 48e24372a0e3fc2a9332d0661896fb98ec4cd396
SHA256 ae1cef89f945337a3091940f92b431e517573cfa0a6e29b95151359aacee2ee0
SHA512 3f24f722511f29db3da7c6b19723099244e9b3d0d10f15c23074153aba144dd9c73458a7d4378bc9129a53c2729fcbd20c8cfe0829bdd82e0d4398012c399002

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe

MD5 ba5f05a4fe02c54497a08bc91c74dd9d
SHA1 420ae384056bc3be559a4362e341635d1b2c7bde
SHA256 a9cf07703a7d8656320e8190522c968fa053f8ad35faff52bdb6b35401473b04
SHA512 309f87685a0105d07c56f63047315080bf8a9edc5a25d5c89e314359cb7de88f8128f86004327c7aca3bb459a1a0b1f350757883fab9a99271f5a4669020b43d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe

MD5 ba5f05a4fe02c54497a08bc91c74dd9d
SHA1 420ae384056bc3be559a4362e341635d1b2c7bde
SHA256 a9cf07703a7d8656320e8190522c968fa053f8ad35faff52bdb6b35401473b04
SHA512 309f87685a0105d07c56f63047315080bf8a9edc5a25d5c89e314359cb7de88f8128f86004327c7aca3bb459a1a0b1f350757883fab9a99271f5a4669020b43d

memory/2920-24-0x00000000006A0000-0x00000000006D0000-memory.dmp

memory/2920-25-0x00000000738E0000-0x0000000073FCE000-memory.dmp

memory/2920-26-0x0000000002900000-0x0000000002906000-memory.dmp

memory/2920-27-0x0000000005730000-0x0000000005D36000-memory.dmp

memory/2920-28-0x0000000005230000-0x000000000533A000-memory.dmp

memory/2920-29-0x0000000002950000-0x0000000002962000-memory.dmp

memory/2920-30-0x0000000005020000-0x000000000505E000-memory.dmp

memory/2920-31-0x0000000005060000-0x00000000050AB000-memory.dmp

memory/2920-32-0x00000000738E0000-0x0000000073FCE000-memory.dmp