Malware Analysis Report

2025-06-15 22:19

Sample ID 241109-yhgaka1brk
Target 620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c
SHA256 620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c

Threat Level: Known bad

The file 620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:46

Reported

2024-11-09 19:49

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4360 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe
PID 4360 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe
PID 4360 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe
PID 4252 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe
PID 4252 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe
PID 4252 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe
PID 1612 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe
PID 1612 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe
PID 1612 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe
PID 1072 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe
PID 1072 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe
PID 1072 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe
PID 1300 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe
PID 1300 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe
PID 1300 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe

Processes

C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe

"C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe

MD5 56f99dcf4769ad94475b2a3e385df7d6
SHA1 ed74096779e730c722936fb5d801eed8f5954690
SHA256 22bfe184cfd7cdaa688996a4bd0f9905df5974f8593db8f4653b5cf067445647
SHA512 c260df906606a895f848a9edad464670eca5fcc903382dfb56171e830c20a5371804e7a1da8010ed1bb224c408263ed911df2ac2d9fb174784fa0b8fd3500e20

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe

MD5 30b50206b81e64e42387a3978250a621
SHA1 706973766bd1ac82df56582cf7373c863d9c5968
SHA256 ebc43d9668df22cdce448f429903b80039f814cca8819fcae555cb33c3e14c54
SHA512 94e803afec1013ed773fb2f0c41dea46720c6c8398ed1d66ca7464634b17fa44ca9b662ef6a188a8a20d9f8e8ee90ae70514710ea17058aab0226440cbe60e1f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe

MD5 1ab762700633e3d5986313b195d2f943
SHA1 8b072b0b0524d8550533d2197eed3ddc3a719556
SHA256 3df7a12fe0e2395c6e1843ba0affbd3f1f0aaa6a73c86759eddfad9f6d66a851
SHA512 154d80251596de6a4a20c40f8aa7a8c23a9533c96c156181b4dec937c1ca23e6cf12560f35554ce84598ac9db637bf11ff5efe4b757b83c0f5eda4b625d91177

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe

MD5 1b4f78619e0b825ec684b6ec596677b9
SHA1 2165630b91acbf5b4cd054fcfee91f60741fc31a
SHA256 cdcddd98edcfdf812d6d135766a2c5112626a0bc55e7074f15cfca59d86c725a
SHA512 5e9eb2a950549541555995ab5ddd284c50454103f74214cffb348268ebeac559d65129aff37ed2f2fddb686db1a9dd64ff3d44035260d05b0b89c2a1ae8f204d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe

MD5 42c797dd79cf627f18bdafc02154aaac
SHA1 4bc76f54be567295d68d78bfcd766944b1229f49
SHA256 922d50cb151fb9f0d087982b84bea6d9ef37879989d06146f3876222060950ee
SHA512 c3328b4eae57991a4d9c3d08ecd92679758b9cb435669eeda5bfa25357acf13f8a04b085e9344b50f7df322ee1cba22b1768e128514d23a6dfc0a0f9afae411b

memory/2872-35-0x0000000000510000-0x0000000000540000-memory.dmp

memory/2872-36-0x0000000004CF0000-0x0000000004CF6000-memory.dmp

memory/2872-37-0x0000000005490000-0x0000000005AA8000-memory.dmp

memory/2872-38-0x0000000004F80000-0x000000000508A000-memory.dmp

memory/2872-39-0x0000000004E90000-0x0000000004EA2000-memory.dmp

memory/2872-40-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

memory/2872-41-0x0000000005090000-0x00000000050DC000-memory.dmp