Malware Analysis Report

2025-05-28 18:28

Sample ID 241109-yyqtya1fkd
Target 78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268
SHA256 78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268
Tags
redline discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268

Threat Level: Known bad

The file 78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268 was found to be: Known bad.

Malicious Activity Summary

redline discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:11

Reported

2024-11-09 20:14

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8374375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5614046.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8374375.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8374375.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5614046.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe

"C:\Users\Admin\AppData\Local\Temp\78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8374375.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8374375.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5614046.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5614046.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 99.208.201.84.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8374375.exe

MD5 8e53b584959d462596f7b84fe0eb278e
SHA1 82a6a915713cc2454aa94ed7f928180be8c93e84
SHA256 5cffef2d19eb07318f757c7851d9d2042b2ae54dae3af7f473ade5ac8b219e89
SHA512 22b89e77e14b57892ca088f2b27d94b590125c40ddbdc06a7274761e9d784784e7b6607054941320b71ebf78c2f55524b4f534ae059b9b9ef91ab43acdfafd18

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5614046.exe

MD5 fde49fb6777171e785d6aa949bc1d6d5
SHA1 ebcdea07bf8d7b9ae907f669ab87fce2a50f3fb5
SHA256 3d4c859dbca7bec82f0466ab4a72b106a5dc7f661f55a92d408bae6ad5f38206
SHA512 a8d431ea1b0137e3aa8981aeafbd666a77e2f5004da5f3210d0790c4d8151face8be58ed5add0b86f4529da3a446eafd99903010e15de9a734fa31f752482e20

memory/3124-14-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

memory/3124-15-0x0000000000540000-0x0000000000568000-memory.dmp

memory/3124-16-0x0000000007900000-0x0000000007F18000-memory.dmp

memory/3124-17-0x00000000073A0000-0x00000000073B2000-memory.dmp

memory/3124-18-0x0000000007510000-0x000000000761A000-memory.dmp

memory/3124-19-0x0000000007440000-0x000000000747C000-memory.dmp

memory/3124-20-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/3124-21-0x0000000004990000-0x00000000049DC000-memory.dmp

memory/3124-22-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

memory/3124-23-0x0000000074B00000-0x00000000752B0000-memory.dmp