Malware Analysis Report

2025-03-15 01:38

Sample ID 230910-tpvdjsad25
Target c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0
SHA256 c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0

Threat Level: Known bad

The file c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 16:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 16:14

Reported

2023-09-10 16:17

Platform

win10-20230831-en

Max time kernel

135s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe
PID 2892 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe
PID 2892 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe
PID 4116 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe
PID 4116 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe
PID 4116 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe
PID 2292 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe
PID 2292 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe
PID 2292 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe
PID 2292 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe
PID 2292 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe
PID 2292 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0.exe

"C:\Users\Admin\AppData\Local\Temp\c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 1.0.9.d.c.d.d.7.8.5.d.1.7.0.c.9.1.0.9.d.c.d.d.7.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe

MD5 e3c79d6f28f06b0f06bec4960ee6f0d2
SHA1 d8896458ff0fa8c44d5ea070650cda829146ad95
SHA256 04a8b0cb3ddc31ec1d5c87aa4c4093af9ed402847c1063fec21a315020316a81
SHA512 5da05868c801853cc21193e97d4b17bda12514614eaacf3ab47245c32546937e4ec7dec0a5a7eb7713739fb347c6f289e76fa2f52675215b5153cb559c4ec8d1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe

MD5 e3c79d6f28f06b0f06bec4960ee6f0d2
SHA1 d8896458ff0fa8c44d5ea070650cda829146ad95
SHA256 04a8b0cb3ddc31ec1d5c87aa4c4093af9ed402847c1063fec21a315020316a81
SHA512 5da05868c801853cc21193e97d4b17bda12514614eaacf3ab47245c32546937e4ec7dec0a5a7eb7713739fb347c6f289e76fa2f52675215b5153cb559c4ec8d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe

MD5 ed0fafb3e59865de276a050a0a0ca0fc
SHA1 2f0cc07b778d4591770afc20d987cc59b12e4d1f
SHA256 4962276e2e8b09d57171936007dfdd9106cd8c6757d2ba6f482cd0db75fc49a1
SHA512 b1d1162eeecb2a9cba8c1e0654516f54c106bc1a1215df4a2a089d9aef85a6fb28e8aada0806c6428089e7c715350fdae132f5b2cb4874991fbae86d9f96f71b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe

MD5 ed0fafb3e59865de276a050a0a0ca0fc
SHA1 2f0cc07b778d4591770afc20d987cc59b12e4d1f
SHA256 4962276e2e8b09d57171936007dfdd9106cd8c6757d2ba6f482cd0db75fc49a1
SHA512 b1d1162eeecb2a9cba8c1e0654516f54c106bc1a1215df4a2a089d9aef85a6fb28e8aada0806c6428089e7c715350fdae132f5b2cb4874991fbae86d9f96f71b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe

MD5 f12d881c23d687ec7e4db45455f9a230
SHA1 e9803096643f32fa658d7a304fab027302b603c7
SHA256 175745bcdee101e425ccc28e395bb0865e949ed47b7dc4e5e09232e9bb0ded42
SHA512 f13b6e7487ec066272d95585a23cf17a65437a8fb731868f681c6a6e7bd90fea94acf87a3afc199d2714a4fcf0fab8e5c9a72d778ee017d4aa7b75ac400c07fe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe

MD5 f12d881c23d687ec7e4db45455f9a230
SHA1 e9803096643f32fa658d7a304fab027302b603c7
SHA256 175745bcdee101e425ccc28e395bb0865e949ed47b7dc4e5e09232e9bb0ded42
SHA512 f13b6e7487ec066272d95585a23cf17a65437a8fb731868f681c6a6e7bd90fea94acf87a3afc199d2714a4fcf0fab8e5c9a72d778ee017d4aa7b75ac400c07fe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe

MD5 4802cd9e82d4bf5d233b60d550e2b95a
SHA1 ee417f030ca000ae2158ba0e64fe5daba831b519
SHA256 a63db67e8e0271ea660200fe80bac9c02a88019d866237081a79a35e59baca60
SHA512 9c359bfa4c3e00632fdadf7a2ca9d1ed530c940e4d6ce7cd7235c0270c9899d7a85501a8d6004c2465951a7c97e0045c67d0ff7bfae648c0da6d19b4b73f069c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe

MD5 4802cd9e82d4bf5d233b60d550e2b95a
SHA1 ee417f030ca000ae2158ba0e64fe5daba831b519
SHA256 a63db67e8e0271ea660200fe80bac9c02a88019d866237081a79a35e59baca60
SHA512 9c359bfa4c3e00632fdadf7a2ca9d1ed530c940e4d6ce7cd7235c0270c9899d7a85501a8d6004c2465951a7c97e0045c67d0ff7bfae648c0da6d19b4b73f069c

memory/1692-24-0x0000000000670000-0x00000000006A0000-memory.dmp

memory/1692-25-0x0000000073310000-0x00000000739FE000-memory.dmp

memory/1692-26-0x0000000004E30000-0x0000000004E36000-memory.dmp

memory/1692-27-0x000000000A940000-0x000000000AF46000-memory.dmp

memory/1692-28-0x000000000A480000-0x000000000A58A000-memory.dmp

memory/1692-29-0x000000000A3B0000-0x000000000A3C2000-memory.dmp

memory/1692-30-0x000000000A410000-0x000000000A44E000-memory.dmp

memory/1692-31-0x000000000A590000-0x000000000A5DB000-memory.dmp

memory/1692-32-0x0000000073310000-0x00000000739FE000-memory.dmp