Malware Analysis Report

2025-08-11 06:34

Sample ID 241109-meh47ssfmq
Target b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4
SHA256 b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4
Tags
redline dippo discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4

Threat Level: Known bad

The file b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4 was found to be: Known bad.

Malicious Activity Summary

redline dippo discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 10:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 10:22

Reported

2024-11-09 10:25

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6282725.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6282725.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe

"C:\Users\Admin\AppData\Local\Temp\b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6282725.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6282725.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 201.108.222.173.in-addr.arpa udp
CY 217.196.96.102:4132 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
CY 217.196.96.102:4132 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 114.108.222.173.in-addr.arpa udp
CY 217.196.96.102:4132 tcp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
CY 217.196.96.102:4132 tcp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
CY 217.196.96.102:4132 tcp
CY 217.196.96.102:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exe

MD5 2f56696fb2923c0c7a1bc527833b4e71
SHA1 aaa9e66aeb313455bff74ecea62b1732e907264e
SHA256 edd036c6a3b21d3ac0069c26fee6f389ded679a5ad0312e8d1e24def19a0f28f
SHA512 3442e2252484fc754ac4b5505740ac8e1896d3c7ce50e736ea441657e12c13165596f124c1d9f50b67d725cb2ed5d9eabc69a352251065749653cd0046d0062f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6282725.exe

MD5 347bcfbf2d72b1233671bc0850229d7e
SHA1 642ab2fd1e524e82c575ead965bd04950a475a15
SHA256 8f770edae94cb40607f73037d6d048f0d45cf84554b08b67eb555600fb52c2cc
SHA512 ee9f669a7a104cc4f7b47109cdba20a51f70f5a810222ef569939216ae38b52a6d79ae78d12ae04f686611b8e14c28bbf95c9e1b43e2d3183c0b1847e6ebb50c

memory/516-14-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/516-15-0x0000000000FD0000-0x0000000000FFE000-memory.dmp

memory/516-16-0x00000000059F0000-0x00000000059F6000-memory.dmp

memory/516-17-0x00000000060C0000-0x00000000066D8000-memory.dmp

memory/516-18-0x0000000005BB0000-0x0000000005CBA000-memory.dmp

memory/516-19-0x0000000005AA0000-0x0000000005AB2000-memory.dmp

memory/516-20-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/516-21-0x0000000005AC0000-0x0000000005AFC000-memory.dmp

memory/516-22-0x0000000005B40000-0x0000000005B8C000-memory.dmp

memory/516-23-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/516-24-0x00000000746E0000-0x0000000074E90000-memory.dmp