Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-tb6jnaac4x
Target 056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836
SHA256 056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836

Threat Level: Known bad

The file 056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:54

Reported

2023-09-10 15:56

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3804 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe
PID 3804 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe
PID 3804 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe
PID 3468 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe
PID 3468 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe
PID 3468 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe
PID 2856 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe
PID 2856 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe
PID 2856 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe
PID 2856 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe
PID 2856 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe
PID 2856 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe

Processes

C:\Users\Admin\AppData\Local\Temp\056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836.exe

"C:\Users\Admin\AppData\Local\Temp\056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe

MD5 2eb2586bfa97e4595d6c949c9a1c18a9
SHA1 bebc730c30c19926efca5e6901e87d5dfb7f50c8
SHA256 cc29e033b98ae879cc6b204314c37b48bbf05d652fd7adfa57a751e6913819f2
SHA512 63313c8b3c1fe123331fcba2cdb00cb25f1e8bf7cdd22fa2a1d6dbc38572a6fcc440ae840c3306db39e048cdfe35a28f3c7d6def223c832da3fb7c06486e607d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe

MD5 2eb2586bfa97e4595d6c949c9a1c18a9
SHA1 bebc730c30c19926efca5e6901e87d5dfb7f50c8
SHA256 cc29e033b98ae879cc6b204314c37b48bbf05d652fd7adfa57a751e6913819f2
SHA512 63313c8b3c1fe123331fcba2cdb00cb25f1e8bf7cdd22fa2a1d6dbc38572a6fcc440ae840c3306db39e048cdfe35a28f3c7d6def223c832da3fb7c06486e607d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe

MD5 6c05a54057feed24c217761e5fc231d3
SHA1 eaf1139ed114bda6a3304d596f289ecc5c507e3e
SHA256 1569ab69f313c7dfd64829a7ccfa03dd702be3485f096b9c93b2fb3493fca806
SHA512 7f37f8d41dc8ed217f263c014ae6fdb99b9f7ee61eb806784bba4ad8809b42958cd0193d62ac7f687270d2dc21a7dacf06c12621e17381c16d4b632f0c743cf6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe

MD5 6c05a54057feed24c217761e5fc231d3
SHA1 eaf1139ed114bda6a3304d596f289ecc5c507e3e
SHA256 1569ab69f313c7dfd64829a7ccfa03dd702be3485f096b9c93b2fb3493fca806
SHA512 7f37f8d41dc8ed217f263c014ae6fdb99b9f7ee61eb806784bba4ad8809b42958cd0193d62ac7f687270d2dc21a7dacf06c12621e17381c16d4b632f0c743cf6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe

MD5 2b6a06b35dc40c657cff55003ab9ace3
SHA1 b424c95e74acf538a053926863a322cf266ea01f
SHA256 4000791bd038ef86c859554da678dac44c57a032663501e53bd1414bd7ceeedf
SHA512 5806b6d7040a78c2efc0376db0d5e81d6fbbf30fb2e2265d26e96f613e7c51c61ce663e5e1cac72794a42805f43f84c63630f8062f6dafb6b7250fd3d323e0b1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe

MD5 2b6a06b35dc40c657cff55003ab9ace3
SHA1 b424c95e74acf538a053926863a322cf266ea01f
SHA256 4000791bd038ef86c859554da678dac44c57a032663501e53bd1414bd7ceeedf
SHA512 5806b6d7040a78c2efc0376db0d5e81d6fbbf30fb2e2265d26e96f613e7c51c61ce663e5e1cac72794a42805f43f84c63630f8062f6dafb6b7250fd3d323e0b1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe

MD5 0369c7f9cb0a49d94791fafb750c07dc
SHA1 7a5e03f39d0058bf9dd353191ddc069589d8cebb
SHA256 ce8729d258a44fd9009a0a7d1082c1c87e1c1fd447ad59cb9daf49d6c360e3c9
SHA512 374daa716b262fb7f08252fe97cd0e2af2b729d7724ebc0446f75f3c298035833d9d94ff1044d31d63db005b6fdc80cddd6a8737f76815f55f02a4b3e3800905

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe

MD5 0369c7f9cb0a49d94791fafb750c07dc
SHA1 7a5e03f39d0058bf9dd353191ddc069589d8cebb
SHA256 ce8729d258a44fd9009a0a7d1082c1c87e1c1fd447ad59cb9daf49d6c360e3c9
SHA512 374daa716b262fb7f08252fe97cd0e2af2b729d7724ebc0446f75f3c298035833d9d94ff1044d31d63db005b6fdc80cddd6a8737f76815f55f02a4b3e3800905

memory/1912-24-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/1912-25-0x0000000000860000-0x0000000000890000-memory.dmp

memory/1912-26-0x000000000AC90000-0x000000000B2A8000-memory.dmp

memory/1912-27-0x000000000A810000-0x000000000A91A000-memory.dmp

memory/1912-29-0x000000000A750000-0x000000000A762000-memory.dmp

memory/1912-28-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/1912-30-0x000000000A7B0000-0x000000000A7EC000-memory.dmp

memory/1912-31-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/1912-32-0x00000000051D0000-0x00000000051E0000-memory.dmp