Malware Analysis Report

2025-04-03 11:33

Sample ID 241109-3dz94axldn
Target 6bc176a05c269ffd88f9250a66d74574265139977de6f4de08b9e0cea2013fd7N
SHA256 6bc176a05c269ffd88f9250a66d74574265139977de6f4de08b9e0cea2013fd7
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6bc176a05c269ffd88f9250a66d74574265139977de6f4de08b9e0cea2013fd7

Threat Level: Known bad

The file 6bc176a05c269ffd88f9250a66d74574265139977de6f4de08b9e0cea2013fd7N was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:24

Reported

2024-11-09 23:26

Platform

win10v2004-20241007-en

Max time kernel

105s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6bc176a05c269ffd88f9250a66d74574265139977de6f4de08b9e0cea2013fd7N.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a49920896.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6bc176a05c269ffd88f9250a66d74574265139977de6f4de08b9e0cea2013fd7N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6bc176a05c269ffd88f9250a66d74574265139977de6f4de08b9e0cea2013fd7N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a49920896.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6bc176a05c269ffd88f9250a66d74574265139977de6f4de08b9e0cea2013fd7N.exe

"C:\Users\Admin\AppData\Local\Temp\6bc176a05c269ffd88f9250a66d74574265139977de6f4de08b9e0cea2013fd7N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a49920896.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a49920896.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.208.201.84.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a49920896.exe

MD5 b7583e0e917d9ddfb9dda8d539ce5f3a
SHA1 f6c300b5736084afa71ed1da8c6df63ec697cc90
SHA256 4e845a39b0391ca53725e7ae01eec669c0037a31603c1e3857feaa180c6d88d7
SHA512 9b66f6fc070d8f637ca3661f5eaa8e2d3b5174b65016cddcfee86d26bf34909767e627cba5855a7e9fdc793a7cc9ec0b676b2473f65a43b55f86b82cb53934c6

memory/2448-7-0x0000000073CFE000-0x0000000073CFF000-memory.dmp

memory/2448-8-0x0000000000D30000-0x0000000000D60000-memory.dmp

memory/2448-9-0x0000000005550000-0x0000000005556000-memory.dmp

memory/2448-10-0x0000000005CB0000-0x00000000062C8000-memory.dmp

memory/2448-11-0x00000000057A0000-0x00000000058AA000-memory.dmp

memory/2448-12-0x00000000056B0000-0x00000000056C2000-memory.dmp

memory/2448-13-0x0000000005710000-0x000000000574C000-memory.dmp

memory/2448-14-0x0000000073CF0000-0x00000000744A0000-memory.dmp

memory/2448-15-0x00000000058B0000-0x00000000058FC000-memory.dmp

memory/2448-16-0x0000000073CFE000-0x0000000073CFF000-memory.dmp

memory/2448-17-0x0000000073CF0000-0x00000000744A0000-memory.dmp