Malware Analysis Report

2025-04-03 12:17

Sample ID 241109-28zflstlbt
Target 3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2
SHA256 3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2
Tags
redline debro discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2

Threat Level: Known bad

The file 3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2 was found to be: Known bad.

Malicious Activity Summary

redline debro discovery infostealer persistence

Redline family

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:15

Reported

2024-11-09 23:18

Platform

win10v2004-20241007-en

Max time kernel

131s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3904 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe
PID 3904 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe
PID 3904 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe
PID 4684 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe
PID 4684 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe
PID 4684 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe
PID 4012 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe
PID 4012 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe
PID 4012 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe

"C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe

MD5 91248268996a0ece3629ebea188c0d57
SHA1 ec2ca895968e340f9099bf1bd5354cfccba73f20
SHA256 2f1a5cf368cf2444406e577da0ac7966ab32d209a0f73a59ed46ab5155c79758
SHA512 8176ccb3dc74b70d44890d9c34cccce4ff17482e54b5f757653c74d3070ca70b82be57572ce4b448b753d521b86e5c8b8a837e186d61645460ffe1e1b3f2adf2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe

MD5 dadd9de803bd1188e2886373f0e6c1ba
SHA1 80fe83b9efa0b6b2d9b3b12335d747f7378ca876
SHA256 68b2612e2ed911a86cfd70510231a0156375c970ce8c61963acfc3d6f902d99a
SHA512 afc151746b2be1d044b2a998ca1fe12b3c3c3081339d212a19141b3427d73e27a6a098fe226942275e832f81d8a61d2fd33f19d4c4ccf6f665baf64d01161c2a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe

MD5 8278703515a2585063e467fbfffa3b8a
SHA1 437577feceda565c8e5b72a5117c8e6905cc920d
SHA256 65fdfcb0e267a98f37fa04567e88dc25637a73f94f61ae1b77c33e4b7579e091
SHA512 bb2b4dd8df35918558109db5b2eb36af0fe980da71702e536755813382974072c7d0fa9bcce2cda60fe41a8ff69c88b293a28e88033e447669406b3b4e89be35

memory/1140-21-0x0000000000720000-0x000000000074E000-memory.dmp

memory/1140-22-0x0000000002990000-0x0000000002996000-memory.dmp

memory/1140-23-0x000000000AA10000-0x000000000B028000-memory.dmp

memory/1140-24-0x000000000A590000-0x000000000A69A000-memory.dmp

memory/1140-25-0x000000000A4C0000-0x000000000A4D2000-memory.dmp

memory/1140-26-0x000000000A520000-0x000000000A55C000-memory.dmp

memory/1140-27-0x00000000049E0000-0x0000000004A2C000-memory.dmp