Malware Analysis Report

2025-01-22 08:59

Sample ID 240523-anfn8aee6s
Target 8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75
SHA256 8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75
Tags
redline drake infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75

Threat Level: Known bad

The file 8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75 was found to be: Known bad.

Malicious Activity Summary

redline drake infostealer persistence

RedLine

RedLine payload

Detects executables packed with ConfuserEx Mod

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 00:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 00:21

Reported

2024-05-23 00:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5185052.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe

"C:\Users\Admin\AppData\Local\Temp\8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5185052.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5185052.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
RU 83.97.73.131:19071 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 83.97.73.131:19071 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 83.97.73.131:19071 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 83.97.73.131:19071 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
RU 83.97.73.131:19071 tcp
RU 83.97.73.131:19071 tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exe

MD5 57e96ebc3cc98f77feacc020065c546e
SHA1 05a6a299c4030ae6d09602b2e3ff1f49ac4f6867
SHA256 8161b65c2497f2ed46c15884e5b06c2d87513294c4a1602a9a582aa16cf1f06f
SHA512 c0e87def74a40b6e4980282da47adb23319a338cc577f6e1428a87079b5a88a254c58c2e32039505b12482002fb263a46506a65115a7b3a3e83656177522e084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5185052.exe

MD5 cc785bb007bed97870e64d2452e67592
SHA1 c6f53caa6f87f72acca4c17bfd66e84610d3458b
SHA256 ccdde049dae409075c3b116cbcc7277c1bd155b979b91e64491ab2cb616490e4
SHA512 1c69f6ff73c52cae6713d4eaf1e8818f8bc3eff6de3b0ed3aa539d64518efae26978b75139043e5212bb86a08eaa400882aa1f09d38589e53714e72a63ad2c6b

memory/2872-14-0x0000000000401000-0x0000000000403000-memory.dmp

memory/2872-15-0x0000000000750000-0x0000000000780000-memory.dmp

memory/2872-19-0x0000000000400000-0x0000000000550000-memory.dmp

memory/2872-20-0x0000000002610000-0x0000000002616000-memory.dmp

memory/2872-21-0x0000000004C10000-0x0000000005228000-memory.dmp

memory/2872-22-0x0000000005230000-0x000000000533A000-memory.dmp

memory/2872-23-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/2872-24-0x0000000005340000-0x000000000537C000-memory.dmp

memory/2872-25-0x00000000053E0000-0x000000000542C000-memory.dmp