Malware Analysis Report

2025-04-03 13:56

Sample ID 241109-198j8stekj
Target 188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6
SHA256 188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6
Tags
redline discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6

Threat Level: Known bad

The file 188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6 was found to be: Known bad.

Malicious Activity Summary

redline discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:22

Reported

2024-11-09 22:24

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7601471.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7601471.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe

"C:\Users\Admin\AppData\Local\Temp\188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7601471.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7601471.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exe

MD5 56252d91ac7df6398dfff7418849511a
SHA1 09f5b5b019d887a38f1849961f1eb6b0afbcbfb5
SHA256 b7e08d7096e73e3bda5aed24d3296e48b0035f7a12c7c21ca0c7b494e6e38459
SHA512 d92f4371eb980c46198a18dfc1b00b0445c2fa5550d70c30da36e2234feeb24cb4c34cbb2ee665c653c9a26c6327d3d41df4f13f94ffd2035662c3e11a397ea5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7601471.exe

MD5 8f30f7f88229560306c5959c605316de
SHA1 36f26a905a9743f6dd1608e39b37d1116cafcc0a
SHA256 3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7
SHA512 267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

memory/4784-14-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

memory/4784-15-0x0000000000A70000-0x0000000000A98000-memory.dmp

memory/4784-16-0x0000000007DC0000-0x00000000083D8000-memory.dmp

memory/4784-17-0x00000000077D0000-0x00000000077E2000-memory.dmp

memory/4784-18-0x0000000007900000-0x0000000007A0A000-memory.dmp

memory/4784-19-0x0000000007830000-0x000000000786C000-memory.dmp

memory/4784-20-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/4784-21-0x0000000004E50000-0x0000000004E9C000-memory.dmp

memory/4784-22-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

memory/4784-23-0x0000000073F20000-0x00000000746D0000-memory.dmp