Malware Analysis Report

2025-05-06 00:51

Sample ID 241109-y961as1jht
Target da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b
SHA256 da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b

Threat Level: Known bad

The file da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

Redline family

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:30

Reported

2024-11-09 20:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe
PID 4368 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe
PID 4368 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe
PID 2208 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe
PID 2208 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe
PID 2208 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe
PID 592 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe
PID 592 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe
PID 592 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe
PID 320 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe
PID 320 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe
PID 320 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe
PID 3008 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe
PID 3008 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe
PID 3008 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe

"C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe

MD5 d204859ccc2d8cd642a6a4ea6c931e38
SHA1 af57f700d7ba5ea5136a709caf69e17671f56445
SHA256 08ca7369ce6e720df3fba908e915a1e42acdac678542ed32bf6149df9218dd58
SHA512 265e4e199bf5975b1b0bcd155c70123c2864a55e421aa467b737f47305d9ebcc62bb7f6a35021725e03753619a0a612dd3bedfcc70bd08e2c8328435d7077c44

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe

MD5 2fe3fcf52c956c689c47500ff7e415e1
SHA1 220d98108f3de803c2a93816f7deb2541ebffd80
SHA256 2e60b6c23fbb8f5e047217391abfad6f7f55f02fb13901718c36c02da71a3cc8
SHA512 cd8da39b030b0e78e5e51dd9fe7ce7222fae0a8867e4c3cd8f986cd3d8fca72ed278bbbc4e333192a3f9611c9225d32daeccc78e6fc41d0e0fa4a9bb3dea1e9e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe

MD5 e458082da7cc4f5dd3579ea94b81c071
SHA1 27d1eb84fd0e40e1929bc863916f3e729589ede9
SHA256 a5b8cb12a49febceb29ffe1c5c0cbc5649c90f379c53cd5ec6c7b2c2d66a1c32
SHA512 1e36cdb30a8fa6950e1326d4052f873a9c7f1089a54ec3aa30c1a6faa2e437111efcbc63ce5ad4f62a1590c442425a4e7288cc79f9d5ff20cf2629ce1b349198

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe

MD5 69aeb4273a7286acb0d16733ef666fc3
SHA1 c2c82c3b557a2bf7d9efe4c8505d2b64ec57facd
SHA256 0055f0d686cb0886a5251a468fb710f26c2cb0bcb0d5ee9585a3f2451d25fe06
SHA512 fd8ea7f738e438bd44000b6a118e4737b9a5d3599496897685bc1e35376f89f708e99f79943a1dfd1f122279ac096737e67c673f9cf3d83a6778225657f7eecc

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe

MD5 5773a53d294a14d3ff6774e36b97aec1
SHA1 f14e74f98201241fc5bc112c46d22a38fc2b8d6e
SHA256 b2a4b49950ddcb5ada42f12b5e3f669ea936dd8f2f056d83d71327b774d4e8c1
SHA512 11f1d9e885bd8ae28ab8dfff97320d582f522d79c298cf31cc2d946f9543bfc78d88bee51cbdf31235f7105023bfdd75564611a4eabf64f1d10319d60b73d1b3

memory/220-35-0x0000000000A50000-0x0000000000A80000-memory.dmp

memory/220-36-0x0000000002BB0000-0x0000000002BB6000-memory.dmp

memory/220-37-0x0000000005B90000-0x00000000061A8000-memory.dmp

memory/220-38-0x0000000005680000-0x000000000578A000-memory.dmp

memory/220-39-0x0000000005400000-0x0000000005412000-memory.dmp

memory/220-40-0x0000000005570000-0x00000000055AC000-memory.dmp

memory/220-41-0x00000000055C0000-0x000000000560C000-memory.dmp