Malware Analysis Report

2024-08-06 19:34

Sample ID 220812-bdsfpshaf4
Target 652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31
SHA256 652df68ddd16669970274981d1b356d23688e65a40f1caa26853447cf7dfff31
Tags
redline billy infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

652df68ddd16669970274981d1b356d23688e65a40f1caa26853447cf7dfff31

Threat Level: Known bad

The file 652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31 was found to be: Known bad.

Malicious Activity Summary

redline billy infostealer spyware

RedLine

RedLine payload

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Credentials in Files
T1081
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-08-12 01:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-12 01:02

Reported

2022-08-12 01:07

Platform

win7-20220715-en

Max time kernel

47s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1976 set thread context of 197120 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 197120 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 197120 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 197120 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 197120 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 197120 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 197120 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 197120 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 197120 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 197120 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe

"C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
FI 135.181.170.165:48769 tcp

Files

memory/197120-54-0x0000000000400000-0x0000000000420000-memory.dmp

memory/197120-56-0x0000000000400000-0x0000000000420000-memory.dmp

memory/197120-61-0x000000000041AEA2-mapping.dmp

memory/197120-62-0x0000000000400000-0x0000000000420000-memory.dmp

memory/197120-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/197120-64-0x0000000076601000-0x0000000076603000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-12 01:02

Reported

2022-08-12 01:07

Platform

win10-20220414-en

Max time kernel

165s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 684 set thread context of 198888 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 684 wrote to memory of 198888 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 684 wrote to memory of 198888 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 684 wrote to memory of 198888 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 684 wrote to memory of 198888 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 684 wrote to memory of 198888 N/A C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe

"C:\Users\Admin\AppData\Local\Temp\652DF68DDD16669970274981D1B356D23688E65A40F1CAA26853447CF7DFFF31.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
FI 135.181.170.165:48769 tcp
IE 20.50.73.10:443 tcp
GB 92.123.143.240:80 tcp

Files

memory/684-118-0x0000000077000000-0x000000007718E000-memory.dmp

memory/684-119-0x0000000077000000-0x000000007718E000-memory.dmp

memory/684-120-0x0000000077000000-0x000000007718E000-memory.dmp

memory/684-121-0x0000000077000000-0x000000007718E000-memory.dmp

memory/684-122-0x0000000077000000-0x000000007718E000-memory.dmp

memory/684-123-0x0000000077000000-0x000000007718E000-memory.dmp

memory/684-124-0x0000000077000000-0x000000007718E000-memory.dmp

memory/684-125-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-126-0x0000000000400000-0x0000000000420000-memory.dmp

memory/198888-131-0x000000000041AEA2-mapping.dmp

memory/198888-132-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-133-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-134-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-135-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-136-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-138-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-139-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-141-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-142-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-143-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-145-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-144-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-146-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-147-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-148-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-149-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-150-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-151-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-152-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-153-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-154-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-155-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-156-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-157-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-158-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-159-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-160-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-161-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-162-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-163-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-165-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-166-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-167-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-168-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-169-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-170-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-171-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-172-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-173-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-174-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-175-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-176-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-177-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-178-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-179-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-180-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-181-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-182-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-183-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-184-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-185-0x0000000077000000-0x000000007718E000-memory.dmp

memory/198888-188-0x0000000009AF0000-0x000000000A0F6000-memory.dmp

memory/198888-189-0x0000000009900000-0x0000000009912000-memory.dmp

memory/198888-193-0x000000000B350000-0x000000000B45A000-memory.dmp

memory/198888-202-0x000000000B4F0000-0x000000000B52E000-memory.dmp

memory/198888-204-0x000000000B530000-0x000000000B57B000-memory.dmp

memory/198888-212-0x000000000C0A0000-0x000000000C116000-memory.dmp

memory/198888-213-0x000000000C1C0000-0x000000000C252000-memory.dmp

memory/198888-214-0x000000000C760000-0x000000000CC5E000-memory.dmp

memory/198888-216-0x000000000C180000-0x000000000C19E000-memory.dmp

memory/198888-220-0x000000000C530000-0x000000000C596000-memory.dmp

memory/198888-227-0x000000000C5A0000-0x000000000C5F0000-memory.dmp

memory/198888-491-0x000000000D650000-0x000000000D812000-memory.dmp

memory/198888-492-0x000000000DD50000-0x000000000E27C000-memory.dmp