Malware Analysis Report

2025-05-28 18:04

Sample ID 241109-zqp34svmcp
Target 1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016
SHA256 1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016
Tags
redline debro discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016

Threat Level: Known bad

The file 1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016 was found to be: Known bad.

Malicious Activity Summary

redline debro discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:55

Reported

2024-11-09 20:58

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3784 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe
PID 3784 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe
PID 3784 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe
PID 3184 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe
PID 3184 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe
PID 3184 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe
PID 1732 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe
PID 1732 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe
PID 1732 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe

"C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe

MD5 da50fde284558cbe419670c53aa60f8c
SHA1 6da56df05c9df1e23fa8719065ab892686c6479c
SHA256 d6d3e0992009881476610222f4ba7656745c83ebdaf40d3f7b5ee17e72d2cd7b
SHA512 b850e054457b7c04041336aaf34ecd369984d3f8fccb76f0a615c6d39567f3ffcfef16d94ba0f8c7f11be29f2d06611688cc40aa6ee58c310ab67fe1b69f5098

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe

MD5 d75a68e15a7eedab42754de0502c7619
SHA1 ad9e8bf0251500696926ca836585b8567f48c29e
SHA256 03c4a6ac507b203cd3a509c0eb36cd281153d8fd22472f94e9db7995ca8c31ad
SHA512 7ee1d57961d3f805cc2f32633511e35e725ea75b4c4175a96bbfb085dc7bc1857846744705f0db361a9d073d0dd7544e41d571b86885893a0adb8210e0100127

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe

MD5 21921b55690c5c16247fe806df039732
SHA1 3c8a00d69d7f460413cbaf99156893481fc66329
SHA256 910ece74bdb35bc0f4a0ab2b1716b1d3ffa42192b0cab65d8e5c5e7a102f0bb0
SHA512 86f560f879791688888b28072ffd7ddb59d78808c26e6b2b6473f3c122801597c43d78e3aeca89daff8c1e7d067559f5a8ecaddc7b903a73cd7ce912400c8f1a

memory/1960-21-0x0000000000160000-0x000000000018E000-memory.dmp

memory/1960-22-0x0000000006E10000-0x0000000006E16000-memory.dmp

memory/1960-23-0x000000000A590000-0x000000000ABA8000-memory.dmp

memory/1960-24-0x000000000A110000-0x000000000A21A000-memory.dmp

memory/1960-25-0x000000000A040000-0x000000000A052000-memory.dmp

memory/1960-26-0x000000000A0A0000-0x000000000A0DC000-memory.dmp

memory/1960-27-0x0000000004460000-0x00000000044AC000-memory.dmp