Malware Analysis Report

2025-08-05 10:10

Sample ID 241109-m7zyestblj
Target 3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN
SHA256 3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c

Threat Level: Known bad

The file 3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 11:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 11:07

Reported

2024-11-09 11:09

Platform

win10v2004-20241007-en

Max time kernel

106s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe
PID 4996 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe
PID 4996 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe
PID 4196 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe
PID 4196 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe
PID 4196 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe
PID 5028 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe
PID 5028 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe
PID 5028 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe
PID 4612 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe
PID 4612 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe
PID 4612 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe
PID 1896 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe
PID 1896 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe
PID 1896 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe

"C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.82.67.80.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 115.108.222.173.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe

MD5 96424ad0dbee1cbb7253980d6c1a6be7
SHA1 c0738d7f51a41623c704a154a9a9013304244d47
SHA256 0d55df92f772a478e54daf19b714d03404a7ac3edcd5abbc88c7eadf3733bfd2
SHA512 2a8d3aaa1f1fb9865dcb7fcff9eb26e756d7c698ff0100c984ed0cf4f4d99479e87bba1d1c38b25000681dbcb22417cbc63bc507c9622410b528a1d1bb6aef45

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe

MD5 435c23635c3fdf9468818d370c448fb3
SHA1 b7d1c39b7adfa85103e0dcb7f81da101c3511790
SHA256 7719f88e17528c67eceb623ff389cf6581d5f1052b7c3748988db0cdbb23dfdb
SHA512 9a5cd3122d9b8aa6eb14f24e73511c833c485af0681270e4ebc92f887882bd951434560b2131caa07718b7c496163e96673c91bd60b77a541f9f6403834f19ee

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe

MD5 df9bffbd5de29604cfcf05286f367cf3
SHA1 2f2f7b628eb083068a9220f98779bfa7e423d03d
SHA256 cf78e5d897eace16f314562aaaf28b46e9368ed435ea3f734baf0ccda3106a5a
SHA512 64a26f763c04ed685f33ff12596f06d63e2e07f8b99695eaf66810f8d27b421a927f2b89d12151412b4f2169d78c15a3b8c2e8dbc9db271e12bcb49947954906

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe

MD5 b5665f55e1124c091a5f344f231bd10f
SHA1 b733a68359599dacf7c43cf04708db767d3afdee
SHA256 8291e7676418fc56d50b263365968e98ccc7d18a5439017d8eaaa88d6741a4d8
SHA512 146958f1c403c3c13e77a00a0494165e011e16cf2ba741d309ac3aabe36be7c454b9976dc02356d5652adcb55468d638180810b12bed019641d7c530c4034056

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe

MD5 9e3d31f3302c87b6bbc03ffe3af5cb52
SHA1 82df246e1fdf14e87d95d1772d0be46e391e2a57
SHA256 e3537994912e245abac3d6c0d6e0cf66632a2697b555d8dd6296a6af1205f596
SHA512 40356f32bac252a36da2f4f0d1b7aaee97deebed36d94785b4ed180e5487a7d8b32dfb10c75f40f604dcabb12701c78bea0956c91e73ba8b05442c0e372a2995

memory/2804-35-0x0000000000D40000-0x0000000000D70000-memory.dmp

memory/2804-36-0x0000000003010000-0x0000000003016000-memory.dmp

memory/2804-37-0x0000000005D60000-0x0000000006378000-memory.dmp

memory/2804-38-0x0000000005850000-0x000000000595A000-memory.dmp

memory/2804-39-0x00000000055C0000-0x00000000055D2000-memory.dmp

memory/2804-40-0x0000000005740000-0x000000000577C000-memory.dmp

memory/2804-41-0x0000000005780000-0x00000000057CC000-memory.dmp