Malware Analysis Report

2025-05-28 18:12

Sample ID 241105-c2cwlasfjb
Target 57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649
SHA256 57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649
Tags
redline daris discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649

Threat Level: Known bad

The file 57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649 was found to be: Known bad.

Malicious Activity Summary

redline daris discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 02:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 02:33

Reported

2024-11-05 02:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe

"C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe

MD5 9f0563d17bf9f60520c88b0535050c5e
SHA1 7d3a68cf75e74e8711ab9e1d3556a36faff206ff
SHA256 d7e820dd6dafc41691a4dbc0168d3837ea8ff49d6d9d31cf0d81521c9063e7ca
SHA512 a980be3e6e843f344face252995f8ad02ffa490230509c2d6329ee86a64ff537751858a0159279e44fb374eab6f0a6999805807e959edad03f2fd58291a93244

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe

MD5 bf39d72105f904ba0dbf967cdabe1458
SHA1 0d0cc8c770402173931ec5d74fac117c4e5f9e2e
SHA256 1c7869d733cfca38d87faebd465681b5211984a524b13bc766d2e2a5e068c56d
SHA512 796ce2f2670d7a82f401bd7e02fa928d8404bed46a2ab9b53cbe06b905c70f48629195dcfe81228d82b882c963e3a5045fe1969e2a8911b5873177bb212f3553

memory/3460-14-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/3460-15-0x0000000000890000-0x00000000008BE000-memory.dmp

memory/3460-16-0x00000000052F0000-0x00000000052F6000-memory.dmp

memory/3460-17-0x000000000ACC0000-0x000000000B2D8000-memory.dmp

memory/3460-18-0x000000000A840000-0x000000000A94A000-memory.dmp

memory/3460-19-0x000000000A770000-0x000000000A782000-memory.dmp

memory/3460-20-0x000000000A7D0000-0x000000000A80C000-memory.dmp

memory/3460-21-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/3460-22-0x0000000004D30000-0x0000000004D7C000-memory.dmp

memory/3460-23-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/3460-24-0x00000000746E0000-0x0000000074E90000-memory.dmp