Malware Analysis Report

2025-03-15 04:39

Sample ID 240516-zsrdysga91
Target 33567cf4d522dad3e7bc0833a79098e0_NeikiAnalytics.exe
SHA256 52398edc347df25fad6d41dd9355515b859b5e94b7d939daa5052f2faf49f7c4
Tags
redline @winxxyyy infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52398edc347df25fad6d41dd9355515b859b5e94b7d939daa5052f2faf49f7c4

Threat Level: Known bad

The file 33567cf4d522dad3e7bc0833a79098e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

redline @winxxyyy infostealer

RedLine

RedLine payload

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-16 20:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 20:59

Reported

2024-05-16 21:01

Platform

win7-20240221-en

Max time kernel

131s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33567cf4d522dad3e7bc0833a79098e0_NeikiAnalytics.dll,#1

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2248 set thread context of 1672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 868 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 868 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 1672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 1672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 1672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 1672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 1672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 1672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 1672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 1672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 1672 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33567cf4d522dad3e7bc0833a79098e0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33567cf4d522dad3e7bc0833a79098e0_NeikiAnalytics.dll,#1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
NL 45.15.156.167:80 tcp
NL 45.15.156.167:80 tcp
NL 45.15.156.167:80 tcp
NL 45.15.156.167:80 tcp
NL 45.15.156.167:80 tcp
NL 45.15.156.167:80 tcp

Files

memory/1672-2-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1672-1-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1672-3-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1672-0-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1672-8-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1672-10-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1672-6-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1672-5-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1672-11-0x00000000740AE000-0x00000000740AF000-memory.dmp

memory/1672-12-0x00000000740A0000-0x000000007478E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp3C9.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/1672-26-0x00000000740AE000-0x00000000740AF000-memory.dmp

memory/1672-27-0x00000000740A0000-0x000000007478E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 20:59

Reported

2024-05-16 21:01

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33567cf4d522dad3e7bc0833a79098e0_NeikiAnalytics.dll,#1

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3620 set thread context of 4760 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33567cf4d522dad3e7bc0833a79098e0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33567cf4d522dad3e7bc0833a79098e0_NeikiAnalytics.dll,#1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
NL 45.15.156.167:80 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 45.15.156.167:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 45.15.156.167:80 tcp
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp
NL 45.15.156.167:80 tcp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
NL 45.15.156.167:80 tcp
NL 45.15.156.167:80 tcp

Files

memory/4760-0-0x0000000000400000-0x0000000000452000-memory.dmp

memory/4760-1-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

memory/4760-2-0x0000000005F40000-0x00000000064E4000-memory.dmp

memory/4760-3-0x0000000005A30000-0x0000000005AC2000-memory.dmp

memory/4760-4-0x00000000059B0000-0x00000000059BA000-memory.dmp

memory/4760-5-0x0000000074CE0000-0x0000000075490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp4825.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/4760-22-0x00000000066F0000-0x0000000006766000-memory.dmp

memory/4760-23-0x0000000006DA0000-0x0000000006DBE000-memory.dmp

memory/4760-26-0x00000000075F0000-0x0000000007C08000-memory.dmp

memory/4760-27-0x0000000008F80000-0x000000000908A000-memory.dmp

memory/4760-28-0x0000000008ED0000-0x0000000008EE2000-memory.dmp

memory/4760-29-0x0000000008F30000-0x0000000008F6C000-memory.dmp

memory/4760-30-0x0000000009090000-0x00000000090DC000-memory.dmp

memory/4760-31-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

memory/4760-32-0x0000000074CE0000-0x0000000075490000-memory.dmp