Malware Analysis Report

2025-08-06 01:52

Sample ID 241111-hk7yasvhjd
Target 51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403
SHA256 51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403
Tags
redline mixa discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403

Threat Level: Known bad

The file 51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403 was found to be: Known bad.

Malicious Activity Summary

redline mixa discovery evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:48

Reported

2024-11-11 06:51

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe
PID 1476 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe
PID 1476 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe
PID 2404 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe
PID 2404 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe
PID 2404 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe
PID 2608 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe
PID 2608 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe
PID 2608 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe
PID 2608 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe
PID 2608 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe
PID 2608 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe

Processes

C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe

"C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe

MD5 b8e462df97eb6c9b27bfa81dc5a6ec72
SHA1 c7c3fe68fdb9f5cea51900f0255c79276bdc89db
SHA256 36cf47120fcd4b71f989ce13edf46764c91c4ecbeb8ba49f455dad5a71c5f9e8
SHA512 5d059f54958a4df6bb47bf5b57f0b869387c76d29538ba5ba0fe5d5ef2a0c9e865f95dde8ed0c0f89b036742c49aeda599930aebb7eeb70538a75328fcd80b12

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe

MD5 93ef0e9a3a2d6465200f788a722053e6
SHA1 c1367f9baa6ca778edc75b9ea9ce7ad380f9c3a2
SHA256 feb41c1421820612aea856752a440f5030ad82646383b722635a7f8e9aee6d0a
SHA512 47de94ce27749890b172c4ab4aa81ec71d89d904ca980b4d8d5bfc4e2fbc65c4df9590ffa81e9bbcd3b7761570ce90811cc11ec9ebbfa8cd080633f5dc6af0c9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe

MD5 d4c640fb500618ad6c9fc5fe7d3e784d
SHA1 850df0880e1685ce709b44afbbb365cab4f0fec4
SHA256 a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b
SHA512 a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

memory/2680-21-0x0000000002360000-0x000000000237E000-memory.dmp

memory/2680-22-0x0000000004C80000-0x0000000005224000-memory.dmp

memory/2680-23-0x0000000002780000-0x000000000279C000-memory.dmp

memory/2680-25-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-41-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-51-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-49-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-47-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-45-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-43-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-39-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-37-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-35-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-33-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-31-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-30-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-27-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2680-24-0x0000000002780000-0x0000000002796000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe

MD5 5366664936e30a322473778461d141fd
SHA1 ef60738704e3518ee7d65ccdf956a73d16e7f130
SHA256 e35dcf4d09dcfca6db8a08755e7d2115a3ddd2dc4faa571d96482ffaf3669c01
SHA512 ab67b7995b4f8052f7fe287471cfb155744a8c9bf6e7cd00c1d592ef2de63b7eb89812f4c9612625026068d31ead1954fd3c30dabb11e9bb563c70eca9ad346d

memory/4292-56-0x0000000000DA0000-0x0000000000DCE000-memory.dmp

memory/4292-57-0x00000000016B0000-0x00000000016B6000-memory.dmp

memory/4292-58-0x000000000B0C0000-0x000000000B6D8000-memory.dmp

memory/4292-59-0x000000000AC10000-0x000000000AD1A000-memory.dmp

memory/4292-60-0x000000000AB40000-0x000000000AB52000-memory.dmp

memory/4292-61-0x000000000ABA0000-0x000000000ABDC000-memory.dmp

memory/4292-62-0x0000000004F20000-0x0000000004F6C000-memory.dmp