Malware Analysis Report

2025-03-15 05:16

Sample ID 231218-fgm3lsghdk
Target 2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06
SHA256 2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06
Tags
redline livetraffic discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06

Threat Level: Known bad

The file 2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06 was found to be: Known bad.

Malicious Activity Summary

redline livetraffic discovery infostealer spyware stealer

RedLine

RedLine payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 04:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 04:50

Reported

2023-12-18 04:55

Platform

win7-20231129-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06.exe

"C:\Users\Admin\AppData\Local\Temp\2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06.exe"

Network

Country Destination Domain Proto
RU 77.105.132.161:48505 tcp

Files

memory/1752-0-0x00000000000E0000-0x000000000011C000-memory.dmp

memory/1752-5-0x0000000074060000-0x000000007474E000-memory.dmp

memory/1752-6-0x00000000074E0000-0x0000000007520000-memory.dmp

memory/1752-8-0x0000000074060000-0x000000007474E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 04:50

Reported

2023-12-18 04:55

Platform

win10-20231215-en

Max time kernel

286s

Max time network

290s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06.exe

"C:\Users\Admin\AppData\Local\Temp\2fab80bf6fac111a7df3c20dcb46e4215143af76f20d8053f47dcd48ed75db06.exe"

Network

Country Destination Domain Proto
RU 77.105.132.161:48505 tcp
US 8.8.8.8:53 161.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1840-0-0x0000000002A10000-0x0000000002A4C000-memory.dmp

memory/1840-5-0x0000000073330000-0x0000000073A1E000-memory.dmp

memory/1840-6-0x0000000007C60000-0x000000000815E000-memory.dmp

memory/1840-7-0x0000000007850000-0x00000000078E2000-memory.dmp

memory/1840-8-0x0000000007A20000-0x0000000007A30000-memory.dmp

memory/1840-9-0x0000000002DC0000-0x0000000002DCA000-memory.dmp

memory/1840-12-0x0000000008D00000-0x0000000008D12000-memory.dmp

memory/1840-13-0x0000000008D60000-0x0000000008D9E000-memory.dmp

memory/1840-14-0x0000000008DA0000-0x0000000008DEB000-memory.dmp

memory/1840-11-0x000000000A580000-0x000000000A68A000-memory.dmp

memory/1840-10-0x0000000008E30000-0x0000000009436000-memory.dmp

memory/1840-15-0x000000000A750000-0x000000000A7B6000-memory.dmp

memory/1840-16-0x000000000AA10000-0x000000000AA60000-memory.dmp

memory/1840-17-0x000000000B670000-0x000000000B832000-memory.dmp

memory/1840-18-0x000000000BD70000-0x000000000C29C000-memory.dmp

memory/1840-21-0x0000000073330000-0x0000000073A1E000-memory.dmp