Malware Analysis Report

2025-04-03 13:56

Sample ID 241109-19k4yatdpa
Target 5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN
SHA256 5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12f
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12f

Threat Level: Known bad

The file 5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine payload

Redline family

RedLine

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:20

Reported

2024-11-09 22:23

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i88034347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a76258075.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i88034347.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i88034347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a76258075.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe

"C:\Users\Admin\AppData\Local\Temp\5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i88034347.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i88034347.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a76258075.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a76258075.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i88034347.exe

MD5 7b45c3bbefc65d092f9ff72d76e87b01
SHA1 83e5616cd32629b164cccf68e722e8635c54b42a
SHA256 68fc27a8dff40abc5216d2bb14cf5d83ce71683657b6bf111abf5e89220d8123
SHA512 2a668c045d6c06f2182aefa0947756e6eae83e34d65a7399867a8c263f571537b1b5bbe65b6931ec1606d09b692875c664de452dddccd132cf438f6d6612c8a2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a76258075.exe

MD5 b982398e2ce0cf8b607286083bc71c47
SHA1 9bc0dc9f894efae29aa13c7dc8620acd65eb2912
SHA256 12132f821daef3ccf262499529e908f7ca2aa461ba39d3d9f84e0c54846c2d60
SHA512 a6a998e3f5ee48e58fa0d4fa59da8557cf140ef5b8d126ab6ce3b176f89f5d49284a8686ffadc24374d576d601dc012ece2421685cd66cc74e04c80594fbf754

memory/4680-14-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

memory/4680-15-0x0000000000130000-0x0000000000160000-memory.dmp

memory/4680-16-0x0000000002420000-0x0000000002426000-memory.dmp

memory/4680-17-0x000000000A480000-0x000000000AA98000-memory.dmp

memory/4680-18-0x0000000009FA0000-0x000000000A0AA000-memory.dmp

memory/4680-19-0x0000000009ED0000-0x0000000009EE2000-memory.dmp

memory/4680-20-0x0000000009F30000-0x0000000009F6C000-memory.dmp

memory/4680-21-0x0000000073F80000-0x0000000074730000-memory.dmp

memory/4680-22-0x0000000004460000-0x00000000044AC000-memory.dmp

memory/4680-23-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

memory/4680-24-0x0000000073F80000-0x0000000074730000-memory.dmp