Malware Analysis Report

2025-04-03 13:14

Sample ID 241109-19ayzatdnf
Target 48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621
SHA256 48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621
Tags
redline ramon discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621

Threat Level: Known bad

The file 48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621 was found to be: Known bad.

Malicious Activity Summary

redline ramon discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:20

Reported

2024-11-09 22:23

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe

"C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe

MD5 dc87fc747ed14e7e07d222a946edf7c3
SHA1 bfaa2e559fdd8e0db71da8e30d9ff52a74f04b8a
SHA256 ac04ebd907b3f394e6ebd788df9cf663853d22961d2259a3da243ada170869a1
SHA512 0df4a616be289551060f940880c595c05fdd4d9366796770a4a345e3fdcd4bc299efd2f6c5fe9f6bda6f4ec2b3247d0ecbdf2ab1f5c150ed6a986c2b775bc733

memory/2240-8-0x0000000002FB0000-0x00000000030B0000-memory.dmp

memory/2240-9-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2240-10-0x0000000004D20000-0x0000000004D66000-memory.dmp

memory/2240-11-0x0000000007260000-0x0000000007804000-memory.dmp

memory/2240-13-0x0000000000400000-0x0000000002BCA000-memory.dmp

memory/2240-12-0x0000000007810000-0x0000000007854000-memory.dmp

memory/2240-43-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-73-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-77-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-75-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-71-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-69-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-67-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-65-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-63-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-61-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-59-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-57-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-55-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-53-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-51-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-49-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-47-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-45-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-41-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-39-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-37-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-35-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-33-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-31-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-29-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-25-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-23-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-21-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-19-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-17-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-15-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-14-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-27-0x0000000007810000-0x000000000784E000-memory.dmp

memory/2240-886-0x0000000000400000-0x0000000002BCA000-memory.dmp

memory/2240-922-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

memory/2240-921-0x0000000007850000-0x0000000007E68000-memory.dmp

memory/2240-923-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/2240-924-0x0000000008000000-0x000000000803C000-memory.dmp

memory/2240-925-0x0000000008150000-0x000000000819C000-memory.dmp

memory/2240-927-0x0000000002FB0000-0x00000000030B0000-memory.dmp

memory/2240-928-0x0000000000400000-0x000000000044E000-memory.dmp