Malware Analysis Report

2025-03-15 05:17

Sample ID 231217-2htgnshfa5
Target f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564
SHA256 f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564
Tags
redline livetraffic discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564

Threat Level: Known bad

The file f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564 was found to be: Known bad.

Malicious Activity Summary

redline livetraffic discovery infostealer spyware stealer

RedLine

RedLine payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-17 22:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-17 22:35

Reported

2023-12-17 22:40

Platform

win7-20231215-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe

"C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe"

Network

Country Destination Domain Proto
RU 77.105.132.161:48505 tcp

Files

memory/2392-0-0x00000000001A0000-0x00000000001DC000-memory.dmp

memory/2392-5-0x0000000074C90000-0x000000007537E000-memory.dmp

memory/2392-6-0x0000000007680000-0x00000000076C0000-memory.dmp

memory/2392-8-0x0000000074C90000-0x000000007537E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-17 22:35

Reported

2023-12-17 22:40

Platform

win10-20231215-en

Max time kernel

262s

Max time network

294s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe

"C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe"

Network

Country Destination Domain Proto
RU 77.105.132.161:48505 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 161.132.105.77.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/3868-0-0x0000000000380000-0x00000000003BC000-memory.dmp

memory/3868-5-0x0000000073BF0000-0x00000000742DE000-memory.dmp

memory/3868-7-0x00000000072E0000-0x0000000007372000-memory.dmp

memory/3868-6-0x00000000077E0000-0x0000000007CDE000-memory.dmp

memory/3868-8-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3868-9-0x00000000028D0000-0x00000000028DA000-memory.dmp

memory/3868-12-0x0000000008780000-0x0000000008792000-memory.dmp

memory/3868-13-0x00000000087E0000-0x000000000881E000-memory.dmp

memory/3868-14-0x0000000008820000-0x000000000886B000-memory.dmp

memory/3868-11-0x000000000A000000-0x000000000A10A000-memory.dmp

memory/3868-10-0x00000000088B0000-0x0000000008EB6000-memory.dmp

memory/3868-15-0x000000000A1D0000-0x000000000A236000-memory.dmp

memory/3868-16-0x000000000B6A0000-0x000000000B6F0000-memory.dmp

memory/3868-17-0x000000000B8C0000-0x000000000BA82000-memory.dmp

memory/3868-18-0x000000000BFC0000-0x000000000C4EC000-memory.dmp

memory/3868-21-0x0000000073BF0000-0x00000000742DE000-memory.dmp