Malware Analysis Report

2025-08-06 00:54

Sample ID 241109-m4felssldz
Target 6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7
SHA256 6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7
Tags
redline darm discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7

Threat Level: Known bad

The file 6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7 was found to be: Known bad.

Malicious Activity Summary

redline darm discovery infostealer persistence

RedLine payload

Redline family

RedLine

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 11:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 11:00

Reported

2024-11-09 11:03

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3472709.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3472709.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe

"C:\Users\Admin\AppData\Local\Temp\6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3472709.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3472709.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 89.82.67.80.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp
US 8.8.8.8:53 115.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
CY 217.196.96.56:4138 tcp
CY 217.196.96.56:4138 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exe

MD5 1753c64f28a828eae7fde7294760247f
SHA1 abe51a56348ecaec4b329ce54805d1b73b03ea38
SHA256 29cc9ea1fa2282a496bdd4ec6999af191b760bdaef977bccc87fea386a3a4cdf
SHA512 6444bc3d3b9eaae179a8bb73992b8111cbd1bdbd365bcd65dffa74122b5b8f1a7dfee2a06b2dc3361a9510d92ce78ff7f7b4529f0d40a0b397d27c726b93103e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3472709.exe

MD5 df763011f3cccf02835dd6115ab93407
SHA1 0bc714d28b579d26ff6991ba416e127957fa80e1
SHA256 6f11fae0cfe33d7bf220b633470d4fba619a67600aba58580e6602191ac249ca
SHA512 c987114dc2012e9813ff6a8bc40c06764b23a9ebb122acdb8e203b03a4f6c2442351dc1f77bd2922a76c85e680496fa2d884fc0c2eb9ef156fb4b069568933cb

memory/3308-14-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/3308-15-0x0000000000D80000-0x0000000000DB0000-memory.dmp

memory/3308-16-0x00000000055A0000-0x00000000055A6000-memory.dmp

memory/3308-17-0x000000000B140000-0x000000000B758000-memory.dmp

memory/3308-18-0x000000000AC30000-0x000000000AD3A000-memory.dmp

memory/3308-19-0x000000000AB20000-0x000000000AB32000-memory.dmp

memory/3308-20-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3308-21-0x000000000AB80000-0x000000000ABBC000-memory.dmp

memory/3308-22-0x0000000002F90000-0x0000000002FDC000-memory.dmp

memory/3308-23-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/3308-24-0x0000000074A00000-0x00000000751B0000-memory.dmp