Malware Analysis Report

2025-04-03 13:57

Sample ID 241109-19n6lawpaj
Target 5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646
SHA256 5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646
Tags
redline discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646

Threat Level: Known bad

The file 5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646 was found to be: Known bad.

Malicious Activity Summary

redline discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:21

Reported

2024-11-09 22:23

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4960761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6503738.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4960761.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4960761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6503738.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe

"C:\Users\Admin\AppData\Local\Temp\5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4960761.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4960761.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6503738.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6503738.exe

Network

Country Destination Domain Proto
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4960761.exe

MD5 1277da9010ebc55f5f6913ba8f8cd9d7
SHA1 86002a35d9676d85a38bcae1ce4442879b4beb93
SHA256 d42b630b59feab7c21aaf032aa72840593b1a8a6c8e517e418f71f2b4d3aa39d
SHA512 47cb668bf718b71a7d42de9cf733a434712d442b9cf497ce8aa5cbf75f8ddc84b17b6531f6cc372faa8fbc87b4f38d3c01c71ba578ae4c44b778b6b7ca749614

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6503738.exe

MD5 bdb266e3f32484186305b8802d7d14ed
SHA1 7d542b89c3e7b94f0db746d21f949bf708a0ba8c
SHA256 cd84f486ed55ef9dae20483659268bbb8111d7aed151ec0bda4a1272c3cb4c96
SHA512 dba745d2da8236c015a4efe52d30af7f03b2c12a50772b247daedef9d43ceaa5246c09cabd73454ecc7010700899e7494eb159677d9c1144b534b2a02a299aaa

memory/724-14-0x000000007441E000-0x000000007441F000-memory.dmp

memory/724-15-0x0000000000410000-0x0000000000438000-memory.dmp

memory/724-16-0x00000000076F0000-0x0000000007D08000-memory.dmp

memory/724-17-0x0000000007170000-0x0000000007182000-memory.dmp

memory/724-18-0x00000000072A0000-0x00000000073AA000-memory.dmp

memory/724-19-0x00000000071D0000-0x000000000720C000-memory.dmp

memory/724-20-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/724-21-0x00000000025C0000-0x000000000260C000-memory.dmp

memory/724-22-0x000000007441E000-0x000000007441F000-memory.dmp

memory/724-23-0x0000000074410000-0x0000000074BC0000-memory.dmp