Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-te3beaac66
Target db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee
SHA256 db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee

Threat Level: Known bad

The file db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:59

Reported

2023-09-10 16:01

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe
PID 4216 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe
PID 4216 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe
PID 4120 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe
PID 4120 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe
PID 4120 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe
PID 4472 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe
PID 4472 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe
PID 4472 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe
PID 4472 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe
PID 4472 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe
PID 4472 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee.exe

"C:\Users\Admin\AppData\Local\Temp\db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 113.132.60.8.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe

MD5 ba551f1df27817c36d126be92f607d36
SHA1 9f6a5f2c7e884d381a44c41f5d5d582de31e385a
SHA256 37aefc87c62f04cc96a085cd0a814e3abf3b5407b6f7fb3fd426efcc320d7a9f
SHA512 cb9c7924a653ab9a99a1d5397a43f1303c4649ee231d5d61f57259db3aac91f97ba1e9bf7554523a0c437d45f99be0207e521b078c5fd231ff90904112d730b4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe

MD5 ba551f1df27817c36d126be92f607d36
SHA1 9f6a5f2c7e884d381a44c41f5d5d582de31e385a
SHA256 37aefc87c62f04cc96a085cd0a814e3abf3b5407b6f7fb3fd426efcc320d7a9f
SHA512 cb9c7924a653ab9a99a1d5397a43f1303c4649ee231d5d61f57259db3aac91f97ba1e9bf7554523a0c437d45f99be0207e521b078c5fd231ff90904112d730b4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe

MD5 261b226b34a93e616027a74408b707ba
SHA1 b961a95b045e1992c62fef615c4e1dd174b1da61
SHA256 a8201a7ce0c444498b015a95b962b109237590dc6857f4450733a4b7562aab60
SHA512 64617256beabba93e56cb348c8f285ed9db00d7c03e5421fed93d7e370a7c85d60b7f35f879fbf17331be3ef9f583def6d4c05692b8c81350c80fbb0780fca54

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe

MD5 261b226b34a93e616027a74408b707ba
SHA1 b961a95b045e1992c62fef615c4e1dd174b1da61
SHA256 a8201a7ce0c444498b015a95b962b109237590dc6857f4450733a4b7562aab60
SHA512 64617256beabba93e56cb348c8f285ed9db00d7c03e5421fed93d7e370a7c85d60b7f35f879fbf17331be3ef9f583def6d4c05692b8c81350c80fbb0780fca54

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe

MD5 3a4b10d36a038f6c05afe5f64ec2bb76
SHA1 758eb4dba2bdfeffe1e06bf48a93ef1eaf3b344f
SHA256 b5bf7bc08eb773114ea5d16ed71cc1b0fccaeff837c612f472563eb1d4ca662e
SHA512 781b78cbbe97fb24434fb4cde283831aacb23de65b7f43b20969d033c0f8377f86bd7f0466f19d8e8a86434a200f44ef5ce623d840039031c9e0ddf2eaf7b5cd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe

MD5 3a4b10d36a038f6c05afe5f64ec2bb76
SHA1 758eb4dba2bdfeffe1e06bf48a93ef1eaf3b344f
SHA256 b5bf7bc08eb773114ea5d16ed71cc1b0fccaeff837c612f472563eb1d4ca662e
SHA512 781b78cbbe97fb24434fb4cde283831aacb23de65b7f43b20969d033c0f8377f86bd7f0466f19d8e8a86434a200f44ef5ce623d840039031c9e0ddf2eaf7b5cd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe

MD5 fffc92607c54d8a4f7d22147f200ccde
SHA1 c49a4dba6e04b3ab09354466060db02a80bd4e54
SHA256 3c58ea7b021e3433e09693739299b5f8714419ba181a8994b2296bd97eeed270
SHA512 e4fc458835b3cb8c9aa749e364f720d40a663beb9644bcb871a573e8f1b6c4bce573a45c5f9acc310c3b41e2d6ebbd562b7f67b80532174ee5c0b4345f9cc479

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe

MD5 fffc92607c54d8a4f7d22147f200ccde
SHA1 c49a4dba6e04b3ab09354466060db02a80bd4e54
SHA256 3c58ea7b021e3433e09693739299b5f8714419ba181a8994b2296bd97eeed270
SHA512 e4fc458835b3cb8c9aa749e364f720d40a663beb9644bcb871a573e8f1b6c4bce573a45c5f9acc310c3b41e2d6ebbd562b7f67b80532174ee5c0b4345f9cc479

memory/4272-24-0x00000000001C0000-0x00000000001F0000-memory.dmp

memory/4272-25-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/4272-26-0x0000000005170000-0x0000000005788000-memory.dmp

memory/4272-27-0x0000000004C60000-0x0000000004D6A000-memory.dmp

memory/4272-29-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/4272-28-0x0000000004B50000-0x0000000004B62000-memory.dmp

memory/4272-30-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

memory/4272-31-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/4272-32-0x0000000004B40000-0x0000000004B50000-memory.dmp