Malware Analysis Report

2025-05-06 01:12

Sample ID 241109-z5e7fs1qbz
Target 38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923
SHA256 38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923

Threat Level: Known bad

The file 38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923 was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:17

Reported

2024-11-09 21:20

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe
PID 2420 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe
PID 2420 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe
PID 4840 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe
PID 4840 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe
PID 4840 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe
PID 4012 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe
PID 4012 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe
PID 4012 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe

Processes

C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe

"C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe

MD5 282f2a5eb18dce9ba508f0bb62e53d8c
SHA1 5ce9da3d71af2b74c49447de61e26d951b43720d
SHA256 8044726d78b8d4acaa7fd0dd819472076c2f605d81f8502a5747b6d08174790f
SHA512 83bdc61b2cde4701a25e27f656549d782ae28b085e1801833a5a373f3f5d85b0d3f4dce732114960d4e2d6a4e15e964946edabbc765bc72f0703385e0c11e804

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe

MD5 5549989438ee6c704a23a7a637178750
SHA1 f1efbe87eed0cd040541491811c8a6142ef9e4ec
SHA256 c62c223e1d2cae23de64ebf545fc091c7fac3b1bb4aae9473645dc566f379812
SHA512 f1eabc7457b0773b22d745c401db2b67d4430590433778896b5bbcbcc7c4b08d174e7599a25585f710b1aafd68a00a4756ff604e16d6af4644c135725b06a2e9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe

MD5 3835fb0e49c8bd776b55f96534aa9bb9
SHA1 63118ed0b06d166440837cebacf528dc9c325816
SHA256 302cb0e099bb50eedf0cad27654917c7311a4662e52888f54116ca2ce008f579
SHA512 da4411146bf120646348a5ca965ecea68f2ecc2cc5bcb67a61919e88e22bc1bdb2d761a6e06104e0e345d7100eb5c4c0d1641d292c7c21df59f083df5b7a359b

memory/4284-21-0x0000000000740000-0x0000000000770000-memory.dmp

memory/4284-22-0x0000000004F60000-0x0000000004F66000-memory.dmp

memory/4284-23-0x00000000056E0000-0x0000000005CF8000-memory.dmp

memory/4284-24-0x00000000051D0000-0x00000000052DA000-memory.dmp

memory/4284-25-0x00000000050C0000-0x00000000050D2000-memory.dmp

memory/4284-26-0x0000000005120000-0x000000000515C000-memory.dmp

memory/4284-27-0x0000000005170000-0x00000000051BC000-memory.dmp