Malware Analysis Report

2025-06-15 23:50

Sample ID 241104-28m3kssjck
Target 91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89
SHA256 91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89
Tags
redline ruma discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89

Threat Level: Known bad

The file 91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89 was found to be: Known bad.

Malicious Activity Summary

redline ruma discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 23:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 23:15

Reported

2024-11-04 23:17

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe
PID 4936 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe
PID 4936 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe
PID 4920 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe
PID 4920 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe
PID 4920 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe
PID 1164 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe
PID 1164 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe
PID 1164 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe

Processes

C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe

"C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.12.20.2.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 94.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe

MD5 061a690b6e59859bbe6b9e2b2a065837
SHA1 87d9318901894dde383e1415f969c0f674d98163
SHA256 5a7d20c157da8f7272d992d9a836c3fb07d87db64df817811de7062cc96ded12
SHA512 39e228ec7087804e407ec3cf0b6c75d75def808bfc4a457954592de057124459fa0a2b3cffd14d9071441a95b87d18ad375c96dcfcadd5e069256b95072bf318

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe

MD5 6152d6997a4a314c7cc84f91a2f9d255
SHA1 24741359c190377f2d992eaf8d095c8ca4969cba
SHA256 ba0a88430c18336ca71151ba08d0044ab7e050312664c1a1e15b38e0c2340a42
SHA512 a543188032424c9b9029cf4eb8f1b3ca5b86397e11e0fbb584f743a53e904413b0bb98795136bc803321aea568d515d48502fb0e69a8c115f66fa3675597f621

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe

MD5 b5b088e47af91c344e3583ef9391586f
SHA1 81c28284f693f66d1d30b8ee09f0d69e27457333
SHA256 3f201ce75b624c56d73e6aa11e0d93825455d0ee88d3fdcc8e2f3bafae6cc739
SHA512 9d0789dfa16b849709e3bb04159ed2bf6ccd74975472efe87aeb9d8ff0539b8953cb0937b4d646fba7d1460ea8c1fd0ee4dfb9ec2debfefdee70ab9b05ca1a3b

memory/4824-22-0x0000000004D10000-0x0000000004D56000-memory.dmp

memory/4824-23-0x0000000004F00000-0x00000000054A4000-memory.dmp

memory/4824-24-0x0000000004D90000-0x0000000004DD4000-memory.dmp

memory/4824-54-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-62-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-88-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-86-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-84-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-82-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-80-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-76-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-75-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-72-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-70-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-69-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-66-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-64-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-60-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-58-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-56-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-52-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-50-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-48-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-46-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-44-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-40-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-36-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-34-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-32-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-30-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-78-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-38-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-28-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-26-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-25-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-42-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/4824-931-0x00000000054B0000-0x0000000005AC8000-memory.dmp

memory/4824-932-0x0000000005AD0000-0x0000000005BDA000-memory.dmp

memory/4824-933-0x0000000004E90000-0x0000000004EA2000-memory.dmp

memory/4824-934-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

memory/4824-935-0x0000000005CF0000-0x0000000005D3C000-memory.dmp