Malware Analysis Report

2025-08-11 07:51

Sample ID 241111-gnh8nsthkm
Target 522e6824c8d910bd1dec890eb90ad7ea83d307eb129abaf519bf38681388cae6
SHA256 522e6824c8d910bd1dec890eb90ad7ea83d307eb129abaf519bf38681388cae6
Tags
redline discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

522e6824c8d910bd1dec890eb90ad7ea83d307eb129abaf519bf38681388cae6

Threat Level: Known bad

The file 522e6824c8d910bd1dec890eb90ad7ea83d307eb129abaf519bf38681388cae6 was found to be: Known bad.

Malicious Activity Summary

redline discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:56

Reported

2024-11-11 05:59

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6750921.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1106060.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6750921.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6750921.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1106060.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe

"C:\Users\Admin\AppData\Local\Temp\9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6750921.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6750921.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1106060.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1106060.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6750921.exe

MD5 befcf327de467b2ac7ec7ddbabed776f
SHA1 00cf220f3bf6640491a2b6cf3665d047b925f427
SHA256 e4e3f113fb11ae031432bce8d9b2bfad807d0869144f012f80a7fbf1f48a730e
SHA512 636f172ca418981cd5bbae135fc4cad7c7ad7e7a95a7c6ef5b6471d4cb8f914c943439d2a1b7a8d37851a4195532ed05316e15ccbf8eaf90b478a02e0ec55b1b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1106060.exe

MD5 6e8ef3264d2f20d394d84809a3042b6a
SHA1 b8c91b452db622a589a774ead74cec244d40ac4c
SHA256 8f488264baed9cca064c9ac8bb1566826336333ac5b1f891b45cfe0fb23ad815
SHA512 099d02da0093e8c672d99a1836f108e9e2114505df6104d42ff5156d7a8a3316372eb9be88b16f86ea3c5ebcf5c2102a5fe2da8bc4d2ae625665224f7c863acc

memory/3396-14-0x00000000741FE000-0x00000000741FF000-memory.dmp

memory/3396-15-0x00000000005B0000-0x00000000005D8000-memory.dmp

memory/3396-16-0x0000000007970000-0x0000000007F88000-memory.dmp

memory/3396-17-0x0000000007410000-0x0000000007422000-memory.dmp

memory/3396-18-0x0000000007580000-0x000000000768A000-memory.dmp

memory/3396-19-0x00000000074B0000-0x00000000074EC000-memory.dmp

memory/3396-20-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/3396-21-0x0000000004960000-0x00000000049AC000-memory.dmp

memory/3396-22-0x00000000741FE000-0x00000000741FF000-memory.dmp

memory/3396-23-0x00000000741F0000-0x00000000749A0000-memory.dmp