Malware Analysis Report

2025-08-10 14:35

Sample ID 241111-gq7ztatlcz
Target 3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd
SHA256 3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd

Threat Level: Known bad

The file 3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:01

Reported

2024-11-11 06:04

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4740 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe
PID 4740 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe
PID 4740 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe
PID 1012 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe
PID 1012 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe
PID 1012 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe
PID 1324 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe
PID 1324 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe
PID 1324 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe
PID 1940 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe
PID 1940 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe
PID 1940 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe
PID 3800 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe
PID 3800 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe
PID 3800 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe

"C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe

MD5 200533d1407ff660c8e21d85a9eb5f6c
SHA1 894fc5f6090622dc8feb40137f40499eec677a16
SHA256 dcd95d79bb84de407d7d77cc5273215662ca9a56255e06cd116d899b7dfe15c3
SHA512 1df15c2d7bd057e21c4d4a463abde82b2b63ab784c1e327ac18972d70bd240d76a72fb6ca2031913a806ed3d96ca61ae743c1a76271d8cb0ef7fd4c540b4818e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe

MD5 85990274efa48f8b8b2a1ecf2a6413d4
SHA1 6bee2a00f480eeae5dfe361a22297759fc03d208
SHA256 68b75c9b9d2824559d2af7ef28f8c010f77ec043ca24acf2183f6a3921a65b42
SHA512 94f1cb9ffad045f155c8e95312d6bd189d868353e43c04550611ada4f66dab1656529600a2194877ae936e30a5b1bde56c3a0aac03c3c191ab35976edc6d3412

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe

MD5 3fb432179a28faff938f7f1ad7ffc3d8
SHA1 211284485081f7bf0a09b44acdec233a78f65ac8
SHA256 771557411c0021f2d495b72a49a020c277ba4658a646fd31507f3b0b715efc0e
SHA512 17b5f88144542fded42f5df13b875ae24ce40a27a4d3ebe71a9fdf9892e70e1d756f47125facabc64ec3b95b2517de29f84f29a279d2db3676d877836d8face1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe

MD5 7c0a1c10a357abeb0fb484968abd087e
SHA1 71aa532533c1fbc2cb51f69f5c21293ccea72425
SHA256 7a5893d45095dc0e14f9035780b21a977cbab589c556b7b8f705bf83c5ca0dd9
SHA512 f26ece118abea3d065715d09a735023da9af1c86770e613cdff8cfc8761e9a2cd723210e2021945024ad5c9f849acc161b1cc5a825a9f639000fa77d306cd8cf

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe

MD5 92ce95e0808338e0da10c041498d7c75
SHA1 b81e71fa22f23e0148d25cb618ba89dbcdb74b3d
SHA256 f345244e2698b4074cc6b7a988c3aaee9a902f381712299aad6381cb99121387
SHA512 056336fdabbc9f260f170ec773b98590c0c75d0e0b173633116fe2c1ec4260d9a2a3a3477b920ab6273694a96c396e98cfff24c8d6985b0e6d201c299bd9a011

memory/3608-35-0x0000000000D70000-0x0000000000DA0000-memory.dmp

memory/3608-36-0x0000000003140000-0x0000000003146000-memory.dmp

memory/3608-37-0x0000000005DA0000-0x00000000063B8000-memory.dmp

memory/3608-38-0x0000000005890000-0x000000000599A000-memory.dmp

memory/3608-39-0x00000000055E0000-0x00000000055F2000-memory.dmp

memory/3608-40-0x0000000005780000-0x00000000057BC000-memory.dmp

memory/3608-41-0x00000000057C0000-0x000000000580C000-memory.dmp