Malware Analysis Report

2025-04-03 09:06

Sample ID 241107-bvqcnssdqa
Target 95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa
SHA256 95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa
Tags
redline rodik discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa

Threat Level: Known bad

The file 95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa was found to be: Known bad.

Malicious Activity Summary

redline rodik discovery infostealer persistence

RedLine payload

RedLine

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 01:28

Reported

2024-11-07 01:30

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe
PID 2376 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe
PID 2376 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe
PID 5096 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe
PID 5096 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe
PID 5096 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe
PID 4412 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe
PID 4412 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe
PID 4412 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe
PID 2136 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe
PID 2136 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe
PID 2136 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe

Processes

C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe

"C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe

MD5 f55c9b36562ace6d480b1e931e09e918
SHA1 cfbd0c94955181645af8cee57394b6d46cdca1ea
SHA256 017374323884b51e854036ee6fee42f1a07c041ab7cf6740c058851b3dec874e
SHA512 2087ec8d44b3cd388f49846270ecec884b220cd081a00ddb92f256901d8db633e11cfab440549ae09b077ebd147caa08c667fe4289329c8b0defdb9d42d4eaec

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe

MD5 df72ca8e216aecb3460c0ca0989ef93d
SHA1 2a0f644b48b3f10a5cbc889db9c87558a00a0319
SHA256 9944be9df706b932b25e64b8fc5590d490f8520b555fbd74c17682ee83533f56
SHA512 3e30b24a249df193e5a0d09256f1f8323be1e7e4fc626ba304857b22712ba16e1b6f6161e0a52e991c9ddfedbc287a2fdead40c7544033d3f31c8b3cbd16fc7c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe

MD5 760e193d0de6af62e9be94e6a62aab80
SHA1 5db723781ee502c93f6b1954079694aa04d99fe4
SHA256 ec09b351cc91237cfe79c2038659a0fbec3b251f9a2ac6d31826a70596d846b8
SHA512 908d6e0235e1456dce5b06f23b489ab1d137bf3666f138967838caa7e01fb2fdf3b680eb55e6ccc41c7e2f37154d0076133a7337a5ac5b857b904c93b1e88ef5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe

MD5 e5e97fd2974a50b5a07e32634aa8c336
SHA1 c841973581b669ce53d079feae3bfc163eac3d48
SHA256 934f074101777f99e03a4671dfba2384942017a561be032adb310ac2aaf317e7
SHA512 9ce9697c2d5d18313dbcc463f3c6691f28783ff4a1671f205b8a4c5464adb2970fd34d279810266a814b65157e691fe7da59bac25da5a994ed15f35716a07e4b

memory/3508-29-0x0000000004C60000-0x0000000004CA6000-memory.dmp

memory/3508-30-0x00000000071B0000-0x0000000007754000-memory.dmp

memory/3508-31-0x00000000077A0000-0x00000000077E4000-memory.dmp

memory/3508-35-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-63-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-95-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-93-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-91-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-89-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-87-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-85-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-83-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-81-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-79-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-77-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-75-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-73-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-69-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-67-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-65-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-61-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-59-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-57-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-55-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-53-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-51-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-49-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-47-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-45-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-43-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-41-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-39-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-71-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-37-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-33-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-32-0x00000000077A0000-0x00000000077DF000-memory.dmp

memory/3508-938-0x00000000077F0000-0x0000000007E08000-memory.dmp

memory/3508-939-0x0000000007E90000-0x0000000007F9A000-memory.dmp

memory/3508-940-0x0000000007FD0000-0x0000000007FE2000-memory.dmp

memory/3508-941-0x0000000007FF0000-0x000000000802C000-memory.dmp

memory/3508-942-0x0000000008140000-0x000000000818C000-memory.dmp