Malware Analysis Report

2025-08-10 13:02

Sample ID 241109-mge6bssjav
Target 2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162
SHA256 2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162
Tags
redline discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162

Threat Level: Known bad

The file 2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162 was found to be: Known bad.

Malicious Activity Summary

redline discovery infostealer persistence

Redline family

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 10:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 10:25

Reported

2024-11-09 10:28

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe
PID 1584 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe
PID 1584 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe
PID 4756 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe
PID 4756 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe
PID 4756 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe
PID 3760 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe
PID 3760 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe
PID 3760 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe

"C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe

Network

Country Destination Domain Proto
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 114.108.222.173.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe

MD5 aec4b640bb4d70e26f992687e2a04a76
SHA1 1c5faf208e380ae6204dff795e4c6eca1e38c24d
SHA256 4c73843b36e052597148df44e62bfc7e4d3adf522f61a97602645869957b2274
SHA512 a68ee38285acf92192e30e80a5c878a9dc7712d86716ba1d173313dd0deafe6f4244a55e527bc17f1f6ffe968e78bdd0f1d99b45fa86a7dc118c716ce1e51c16

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe

MD5 443c12936251f264c4dc4d96192f0819
SHA1 c5e7c4f660f3ff17c8cea1b9dfd00fc11955d404
SHA256 909886487687835f25ff0fdadc63546982f65176fd827a3fb9eeed83c0fac39d
SHA512 387938841b8a6ff8fb1dbfb0694dae16ce4bc0b5d9b1b39f942e75d01bc6ae79b19ae9213cae2eb151007592cf5ebdd435f0bb77d0407d08222d4a5cef43c711

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe

MD5 bf796ee030a6a6775ad0266ba6987ad1
SHA1 fa088629b9c12d9944abd5560255c0404cf974d6
SHA256 5a8dc121cf510a11b664fa3d760deeb981075f55853ba3a68ae4058f6753eb5e
SHA512 511e764725904275a9e158a12006f77b30d96a71b14065d1ea9a309775ce02abf9c1a7e0f781bce2c53f366ca2994509147c6df0f98d98319d474ba5362cb04a

memory/2860-21-0x0000000000AE0000-0x0000000000B08000-memory.dmp

memory/2860-22-0x0000000007EC0000-0x00000000084D8000-memory.dmp

memory/2860-23-0x0000000007940000-0x0000000007952000-memory.dmp

memory/2860-24-0x0000000007AB0000-0x0000000007BBA000-memory.dmp

memory/2860-25-0x00000000079E0000-0x0000000007A1C000-memory.dmp

memory/2860-26-0x0000000002E90000-0x0000000002EDC000-memory.dmp