Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-th1a8aac6z
Target 4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19
SHA256 4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19

Threat Level: Known bad

The file 4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 16:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 16:04

Reported

2023-09-10 16:06

Platform

win10v2004-20230831-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3980 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe
PID 3980 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe
PID 3980 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe
PID 660 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe
PID 660 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe
PID 660 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe
PID 2788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe
PID 2788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe
PID 2788 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe
PID 2788 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe
PID 2788 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe
PID 2788 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19.exe

"C:\Users\Admin\AppData\Local\Temp\4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 99.134.101.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe

MD5 4a014e8aa37146029a435d77a71bd1c5
SHA1 e49b40abd1d4e3f7a4af24054e0bae9463de482a
SHA256 40322bb26aaeb78c49e5db567eae839bb5b1cee69a61a21091e0feb55de2590c
SHA512 74b4a5bf665690b30cd6f7a1daec3d889b012c1d1af7aeedac1325295d1552311f3272b00a23a1d96f840ff59c4cd1747893d39506bf863cab5480c831f20c69

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe

MD5 4a014e8aa37146029a435d77a71bd1c5
SHA1 e49b40abd1d4e3f7a4af24054e0bae9463de482a
SHA256 40322bb26aaeb78c49e5db567eae839bb5b1cee69a61a21091e0feb55de2590c
SHA512 74b4a5bf665690b30cd6f7a1daec3d889b012c1d1af7aeedac1325295d1552311f3272b00a23a1d96f840ff59c4cd1747893d39506bf863cab5480c831f20c69

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe

MD5 76b006c0a88bf56a72fbcc4ef7c30fac
SHA1 f28153daa6dc91251251b2893b1ffcd418701565
SHA256 14000c30e18607507ed684b345288b7b8f4a1d5d34c558d66c9483ce66a49535
SHA512 19bdcb74cd02ca61bc7e875c3497d049f18950e17746808c75da5a2d0f226f33c88185fe6982c44a16de5f3e0060381f1f84ed5278f12a94241f365f9ddc95f3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe

MD5 76b006c0a88bf56a72fbcc4ef7c30fac
SHA1 f28153daa6dc91251251b2893b1ffcd418701565
SHA256 14000c30e18607507ed684b345288b7b8f4a1d5d34c558d66c9483ce66a49535
SHA512 19bdcb74cd02ca61bc7e875c3497d049f18950e17746808c75da5a2d0f226f33c88185fe6982c44a16de5f3e0060381f1f84ed5278f12a94241f365f9ddc95f3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe

MD5 c5c834095c3738981936b89138ab4de5
SHA1 bc93ac94ee751e4258310af686f2c38dfd9cbec2
SHA256 c93eb6c98e6ccd58af89c704d5f7db520c9e299a2df243384c239ef9507f64c0
SHA512 7f33db7750ca37c8bc54e3dee39a151e78363be332ed5d8348adb13370e293bf26055281c311ee823d5a9c47dd67a5aaf5ddf24796e26748e4409c1f805c5f43

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe

MD5 c5c834095c3738981936b89138ab4de5
SHA1 bc93ac94ee751e4258310af686f2c38dfd9cbec2
SHA256 c93eb6c98e6ccd58af89c704d5f7db520c9e299a2df243384c239ef9507f64c0
SHA512 7f33db7750ca37c8bc54e3dee39a151e78363be332ed5d8348adb13370e293bf26055281c311ee823d5a9c47dd67a5aaf5ddf24796e26748e4409c1f805c5f43

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe

MD5 9ab91ab47c32839265c32757a763300a
SHA1 c3d894358ccd3a69870974d6db1aff4f9399e58d
SHA256 c3bf560b6955ecd08108dcbe5717b8f92760913ace0d5b6e8a51bca74ad9aab1
SHA512 613b08b54bf4047fb5ec460fc68b2b17cbfdb734b2413f4ab89f9102617171c1502c547ed7293ab89caa175839bcb16c144c8c364b1b728a49828f14181f5d07

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe

MD5 9ab91ab47c32839265c32757a763300a
SHA1 c3d894358ccd3a69870974d6db1aff4f9399e58d
SHA256 c3bf560b6955ecd08108dcbe5717b8f92760913ace0d5b6e8a51bca74ad9aab1
SHA512 613b08b54bf4047fb5ec460fc68b2b17cbfdb734b2413f4ab89f9102617171c1502c547ed7293ab89caa175839bcb16c144c8c364b1b728a49828f14181f5d07

memory/2432-24-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/2432-25-0x0000000000F10000-0x0000000000F40000-memory.dmp

memory/2432-26-0x0000000005ED0000-0x00000000064E8000-memory.dmp

memory/2432-27-0x00000000059C0000-0x0000000005ACA000-memory.dmp

memory/2432-28-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/2432-29-0x00000000058B0000-0x00000000058C2000-memory.dmp

memory/2432-30-0x0000000005910000-0x000000000594C000-memory.dmp

memory/2432-31-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/2432-32-0x00000000057A0000-0x00000000057B0000-memory.dmp