Malware Analysis Report

2025-03-15 04:39

Sample ID 240517-ce98ksce67
Target 9d41eb2c2aa1e2ea204df751505fd22cbeb1d9228cb3a72ab9b9226525d1b171
SHA256 9d41eb2c2aa1e2ea204df751505fd22cbeb1d9228cb3a72ab9b9226525d1b171
Tags
redline doma infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d41eb2c2aa1e2ea204df751505fd22cbeb1d9228cb3a72ab9b9226525d1b171

Threat Level: Known bad

The file 9d41eb2c2aa1e2ea204df751505fd22cbeb1d9228cb3a72ab9b9226525d1b171 was found to be: Known bad.

Malicious Activity Summary

redline doma infostealer persistence

RedLine

RedLine payload

Detects executables packed with ConfuserEx Mod

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 02:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 02:00

Reported

2024-05-17 02:03

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d41eb2c2aa1e2ea204df751505fd22cbeb1d9228cb3a72ab9b9226525d1b171.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3530801.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6502451.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9d41eb2c2aa1e2ea204df751505fd22cbeb1d9228cb3a72ab9b9226525d1b171.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3530801.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d41eb2c2aa1e2ea204df751505fd22cbeb1d9228cb3a72ab9b9226525d1b171.exe

"C:\Users\Admin\AppData\Local\Temp\9d41eb2c2aa1e2ea204df751505fd22cbeb1d9228cb3a72ab9b9226525d1b171.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3530801.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3530801.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6502451.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6502451.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3530801.exe

MD5 0e91b490e12894938a011e23d87c8c81
SHA1 49fec812384c0a884459e52f7dcb8f769df63273
SHA256 63365de514ecfe3d27895953adf0663fe7fc9fd6c783da0a281d3437527a5654
SHA512 6e97e189af5675e53f69ec93ec0d81e5c83e67f67d30b32e7981821f4e4f3002d61fe8d96c7e7a4523abd3498f96efced5c5e381c3239aa8236d718494f648d8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6502451.exe

MD5 222dc580782fc4e47e67c2c214b59b7b
SHA1 1110875dbf00edd33cfceba783651bf46615fd78
SHA256 b7ac95456d3132a1e30f457603aff128d36d20ce6fe29a0b0f7cc6ee383936af
SHA512 c9f0bd33b4de6aa631bdfb79accd0ce196b896af8d8ab255c8a62e0df059e16ec5d9c6a85e537f79b79c402abeed3aaa4ff2990dc3d6b2a78a0a42ccc4c2c5bb

memory/4200-14-0x0000000073C1E000-0x0000000073C1F000-memory.dmp

memory/4200-15-0x00000000002F0000-0x000000000031A000-memory.dmp

memory/4200-16-0x0000000005280000-0x0000000005898000-memory.dmp

memory/4200-17-0x0000000004DC0000-0x0000000004ECA000-memory.dmp

memory/4200-18-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/4200-19-0x0000000004D50000-0x0000000004D8C000-memory.dmp

memory/4200-20-0x0000000004ED0000-0x0000000004F1C000-memory.dmp

memory/4200-21-0x0000000073C1E000-0x0000000073C1F000-memory.dmp