Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-gnq9aavclg
Target 0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N
SHA256 0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32

Threat Level: Known bad

The file 0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:57

Reported

2024-11-11 05:59

Platform

win10v2004-20241007-en

Max time kernel

106s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe
PID 3576 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe
PID 3576 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe
PID 3860 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe
PID 3860 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe
PID 3860 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe
PID 4088 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe
PID 4088 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe
PID 4088 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe
PID 2204 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe
PID 2204 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe
PID 2204 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe

"C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe

MD5 b659e8693f9c6bf3a07242f64a641643
SHA1 d6b9303eaf4fa66f95c4c617288ec57fc6addbe3
SHA256 c5c53066c9c65ea6d05fa10adcace56317f59ece80d9e756bdcbec681599fca1
SHA512 b0544418d253d2e1a1416b16cf52de3af6aef7f2afe96ddaccfdb622e27dd53a9ebe64595d5de106c47cfe697fd6cf8bc8fdf155b6821bd0c61ec99b6a0a7350

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe

MD5 1881d788b8046308e1156636d4a6f8d2
SHA1 fb8e4d40d1a0664f13316ab23f13c050390b99b5
SHA256 a9b8e823d9318836368a7be00b8edccbe265282d0aaa5666d6503afff0dea74c
SHA512 41b780eaa441b6500b249da7767284b3cf3d7cbbdff55203461baf9808c5598a1b5ef2eca9f3692e1bf0cd954b1373695b54d2fef1eddbbb1c86cd09c6fb83bb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe

MD5 341ee1742a7c6cb97a6f94cb2880f72b
SHA1 55d67dc790192ad81761dc30ce4550b9f7e096a7
SHA256 5303cca9f76963e9b0a728d64f36a64bdca4f3c6ed9c6e00a85489af77b60695
SHA512 d0628d5e853bf87e72a399aaaf7f43af6e43bb549b39cb955cd1f74b0d31d0d1f101f357c18c8caa875cbf3ce2410e04e24a98568c042ac0d19636f8cda7aca9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe

MD5 375fb5fc9e409807364960c1891d2625
SHA1 ca904acdf5e162c8e595bb3c1dcb48ed97228ed5
SHA256 71d35ffc50602e0bc952a8157bbc4b07cc2dcdd47c6a01257abc3d1c47b2510f
SHA512 f6d7d1d6336440d69dc5debbb46ad4791bfb0f228519df264ba1f56c5227c832ef046803a28b65209f039b720f0d60dab7478d70d06036ac0df017a60248ec89

memory/1052-28-0x0000000000FF0000-0x0000000001020000-memory.dmp

memory/1052-29-0x00000000034B0000-0x00000000034B6000-memory.dmp

memory/1052-30-0x0000000006120000-0x0000000006738000-memory.dmp

memory/1052-31-0x0000000005C10000-0x0000000005D1A000-memory.dmp

memory/1052-32-0x0000000005990000-0x00000000059A2000-memory.dmp

memory/1052-33-0x0000000005B00000-0x0000000005B3C000-memory.dmp

memory/1052-34-0x0000000005B50000-0x0000000005B9C000-memory.dmp