Malware Analysis Report

2024-12-01 02:15

Sample ID 241110-blz6hsyqbq
Target 3e1af7e26ab12c6b48da7042fe15762e4ccad35c8d57268df72ff30b4dc76144
SHA256 3e1af7e26ab12c6b48da7042fe15762e4ccad35c8d57268df72ff30b4dc76144
Tags
redline ruma discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e1af7e26ab12c6b48da7042fe15762e4ccad35c8d57268df72ff30b4dc76144

Threat Level: Known bad

The file 3e1af7e26ab12c6b48da7042fe15762e4ccad35c8d57268df72ff30b4dc76144 was found to be: Known bad.

Malicious Activity Summary

redline ruma discovery infostealer persistence

RedLine payload

RedLine

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:14

Reported

2024-11-10 01:17

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe

"C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
RU 193.233.20.13:4136 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe

MD5 f741776c71c86f4a34323ded9602a4d5
SHA1 292ce158bdfae3117bb2be35625608999d18f63e
SHA256 5265966f5f0074df5a240ef6caf46e977fc03495f14baf9c57c4fb7f88b31137
SHA512 87feda7e09956e900ffd4461435466c2281052b0219bef74a3f81f859c93a27c3713e6249f07f5af1fa01286c8dfc91e5fdc3ac6f4d9e702e44b3b96c332fb96

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe

MD5 7cf461732cf9d151aed5ca9f15c9d689
SHA1 16308873863f9231638b81abe04b80afd0b98c18
SHA256 971b14529405a8774ceb5552f3f12fcf455f530e567b71ae043ef166f4ff9d4f
SHA512 1b27323c2386aa46b28ebd2b8a127dfa86ccefee0a104c73d0ec2fd56b7f72c65a46d0529716def211c747e386d101aa38cc7d2143839927971ba7788e381e75

memory/2320-15-0x00000000009D0000-0x0000000000AD0000-memory.dmp

memory/2320-17-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2320-16-0x00000000023F0000-0x000000000243B000-memory.dmp

memory/2320-18-0x0000000000400000-0x0000000000767000-memory.dmp

memory/2320-19-0x0000000004CF0000-0x0000000004D36000-memory.dmp

memory/2320-20-0x0000000004D30000-0x00000000052D4000-memory.dmp

memory/2320-21-0x0000000005320000-0x0000000005364000-memory.dmp

memory/2320-59-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-57-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-85-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-83-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-81-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-79-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-77-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-75-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-73-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-71-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-69-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-67-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-65-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-63-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-61-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-55-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-53-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-51-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-49-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-47-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-45-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-43-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-41-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-39-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-37-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-35-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-33-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-31-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-29-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-27-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-25-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-23-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-22-0x0000000005320000-0x000000000535E000-memory.dmp

memory/2320-928-0x00000000053A0000-0x00000000059B8000-memory.dmp

memory/2320-929-0x0000000005A40000-0x0000000005B4A000-memory.dmp

memory/2320-930-0x0000000005B80000-0x0000000005B92000-memory.dmp

memory/2320-931-0x0000000005BA0000-0x0000000005BDC000-memory.dmp

memory/2320-932-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

memory/2320-933-0x00000000009D0000-0x0000000000AD0000-memory.dmp

memory/2320-934-0x0000000000400000-0x000000000044E000-memory.dmp