Malware Analysis Report

2025-06-15 22:19

Sample ID 241109-yhhtds1brn
Target 905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d
SHA256 905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d
Tags
redline dedu discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d

Threat Level: Known bad

The file 905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d was found to be: Known bad.

Malicious Activity Summary

redline dedu discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:47

Reported

2024-11-09 19:49

Platform

win10v2004-20241007-en

Max time kernel

131s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe
PID 1272 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe
PID 1272 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe
PID 4496 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe
PID 4496 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe
PID 4496 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe
PID 2748 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe
PID 2748 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe
PID 2748 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe

Processes

C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe

"C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe

Network

Country Destination Domain Proto
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe

MD5 1f936525487ee3390a2f40543dd362a9
SHA1 9bee10624dcb45e4ab975aeb334a447da6b5673e
SHA256 7df3ff2c961e5e492af90a7c100d981cd6c8ed5cd0f4714061e8826858e799aa
SHA512 bcf627c4ca1bc7afededeaf8f73195e52935a9c336bbcfdcd194d1cc9b94aa87bcf11ebcd2414180822e98ea64e76401d97fa7da8b3c9df4146b23f118ceffb1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe

MD5 691b863b119613d2123e13d8a800bc49
SHA1 ab2c44f0fe8efff78f0ac1c72626ffee39b7a3e7
SHA256 40a1996d7687379818189391391219f55125b7c46bae19345ed9a21bb17e4503
SHA512 9069b2e3728b19164a7ff4de5a35661d9f72bbce873ed637d7fd76aa593fd3b228abf33684a74c281e36c166eee481e9cd609ba996cb020af5ee273431adc657

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe

MD5 f64f648b9ef280bbee7159a5f4f70182
SHA1 b7a292a9eaaf559ab327606301cdcff3e3235a42
SHA256 381c68a6d8555975dd16ed9d48b3fbccba8c0a84dac6b00d9ad28a9143843130
SHA512 746dc58b87c8d183de27cf9a37bf478982e4b3b6f3b268d459bd1ee5d3a985fc79f30e46a328ebc22b62f52ccad22ffc0bcdef68b9e592c24b2ea3ef57f0c445

memory/468-21-0x0000000000D80000-0x0000000000DAA000-memory.dmp

memory/468-22-0x0000000005CD0000-0x00000000062E8000-memory.dmp

memory/468-23-0x0000000005850000-0x000000000595A000-memory.dmp

memory/468-24-0x0000000005780000-0x0000000005792000-memory.dmp

memory/468-25-0x00000000057E0000-0x000000000581C000-memory.dmp

memory/468-26-0x0000000005960000-0x00000000059AC000-memory.dmp