Analysis Overview
SHA256
f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564
Threat Level: Known bad
The file f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-17 22:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-17 22:35
Reported
2023-12-17 22:40
Platform
win7-20231215-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe
"C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 77.105.132.161:48505 | tcp |
Files
memory/2392-0-0x00000000001A0000-0x00000000001DC000-memory.dmp
memory/2392-5-0x0000000074C90000-0x000000007537E000-memory.dmp
memory/2392-6-0x0000000007680000-0x00000000076C0000-memory.dmp
memory/2392-8-0x0000000074C90000-0x000000007537E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-17 22:35
Reported
2023-12-17 22:40
Platform
win10-20231215-en
Max time kernel
262s
Max time network
294s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe
"C:\Users\Admin\AppData\Local\Temp\f0f5b517995baed167b1c3fa4cfa1b165d2964f1a9ce02e4ef30b4a400717564.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 77.105.132.161:48505 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 161.132.105.77.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
Files
memory/3868-0-0x0000000000380000-0x00000000003BC000-memory.dmp
memory/3868-5-0x0000000073BF0000-0x00000000742DE000-memory.dmp
memory/3868-7-0x00000000072E0000-0x0000000007372000-memory.dmp
memory/3868-6-0x00000000077E0000-0x0000000007CDE000-memory.dmp
memory/3868-8-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3868-9-0x00000000028D0000-0x00000000028DA000-memory.dmp
memory/3868-12-0x0000000008780000-0x0000000008792000-memory.dmp
memory/3868-13-0x00000000087E0000-0x000000000881E000-memory.dmp
memory/3868-14-0x0000000008820000-0x000000000886B000-memory.dmp
memory/3868-11-0x000000000A000000-0x000000000A10A000-memory.dmp
memory/3868-10-0x00000000088B0000-0x0000000008EB6000-memory.dmp
memory/3868-15-0x000000000A1D0000-0x000000000A236000-memory.dmp
memory/3868-16-0x000000000B6A0000-0x000000000B6F0000-memory.dmp
memory/3868-17-0x000000000B8C0000-0x000000000BA82000-memory.dmp
memory/3868-18-0x000000000BFC0000-0x000000000C4EC000-memory.dmp
memory/3868-21-0x0000000073BF0000-0x00000000742DE000-memory.dmp