Malware Analysis Report

2025-06-15 23:30

Sample ID 241109-xzx4zazhpl
Target 09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417
SHA256 09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417
Tags
redline muza discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417

Threat Level: Known bad

The file 09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417 was found to be: Known bad.

Malicious Activity Summary

redline muza discovery evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:18

Reported

2024-11-09 19:20

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe
PID 2520 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe
PID 2520 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe
PID 4700 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe
PID 4700 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe
PID 4700 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe
PID 4264 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe
PID 4264 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe
PID 4264 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe
PID 4264 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe
PID 4264 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe
PID 4264 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe

"C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe

MD5 0e779946ef77a1d3780750706a47cf77
SHA1 360b12f8421cfd4a52870421d1042d24d82cad24
SHA256 4995b38a203abefa69ad4c7ff61247651b74049010128f0e07345a7d025a9861
SHA512 3a65f0c8e6c581b8811509716a959089397badb6048bdd0d91db61b8ec73aa64704c28a9ec307a099421ded4a4e058674fcd25d2c4edac784c481c818c7075e8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe

MD5 9463742fa3592a60dc9a34da6d187ad5
SHA1 a9ae15f432098b65c67e95362ff651c567e296be
SHA256 80281ca13faefaa480c7084504bf24b888857fd46b0cbf123e35fb1199cb45db
SHA512 21d3e653148499097e755cfdae8fce57904a0f02328a005eeda3cbe977821c88e76c6897c160307850ba853fcdf8fbab1a1dafabf2f5f9fcb9e51ec78d0239f8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe

MD5 491f1f61aa027e4cbd3a4c768eafa7d1
SHA1 a4405e21b14e50e94430c2c3b30cd22c47a9f9f8
SHA256 a40b4bb316921cf8ad107871fcff524518c0040925afd6ee9e638f0232c18a55
SHA512 d87c7398fe703b7b628cf45060e9f830332a7e188f172e1c51f0e32342cd6ff318a0ab976ef8a828ee9fb26d81907963a53d3270d03174937daff2ace248ec05

memory/1476-21-0x0000000002330000-0x000000000234E000-memory.dmp

memory/1476-22-0x0000000004AE0000-0x0000000005084000-memory.dmp

memory/1476-23-0x00000000024C0000-0x00000000024DC000-memory.dmp

memory/1476-51-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-49-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-47-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-45-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-43-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-41-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-39-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-37-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-35-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-33-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-31-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-29-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-27-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-25-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/1476-24-0x00000000024C0000-0x00000000024D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe

MD5 7d467150c58638fda1accd402ffc9db4
SHA1 7b485acdbbe4ac9afd8dfcf27a4cfc07fa5d5539
SHA256 87ff4718b356f6b9d7c4b26ffc3c92ed806e23203cc9b314797a9b97fb12d917
SHA512 6f526880626c2725c1d59859fa39a914ae9826de4def771897b7dc839c13d97d4256f58b0da339adc27122b181bc76c4e5f68aa3809b7c9eaa094094b694fd3e

memory/536-56-0x0000000000570000-0x000000000059A000-memory.dmp

memory/536-57-0x0000000005390000-0x00000000059A8000-memory.dmp

memory/536-58-0x0000000004F00000-0x000000000500A000-memory.dmp

memory/536-59-0x0000000004E30000-0x0000000004E42000-memory.dmp

memory/536-60-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

memory/536-61-0x0000000004E50000-0x0000000004E9C000-memory.dmp