Malware Analysis Report

2025-08-11 01:18

Sample ID 240408-271x2saa7v
Target 0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0
SHA256 0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0
Tags
redline 6077866846 discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0

Threat Level: Known bad

The file 0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0 was found to be: Known bad.

Malicious Activity Summary

redline 6077866846 discovery infostealer spyware stealer

RedLine

RedLine payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 23:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 23:14

Reported

2024-04-08 23:16

Platform

win11-20240221-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe

"C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
MD 94.103.188.162:443 sy.slo5prc.top tcp

Files

memory/1548-0-0x00000000009C0000-0x00000000009E2000-memory.dmp

memory/1548-4-0x00000000745C0000-0x0000000074D71000-memory.dmp

memory/1548-5-0x0000000005050000-0x00000000050B6000-memory.dmp

memory/1548-6-0x0000000005BE0000-0x00000000061F8000-memory.dmp

memory/1548-7-0x0000000005600000-0x0000000005612000-memory.dmp

memory/1548-8-0x0000000005730000-0x000000000583A000-memory.dmp

memory/1548-9-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/1548-10-0x0000000006680000-0x00000000066BC000-memory.dmp

memory/1548-11-0x00000000066C0000-0x000000000670C000-memory.dmp

memory/1548-12-0x00000000069F0000-0x0000000006BB2000-memory.dmp

memory/1548-13-0x00000000070F0000-0x000000000761C000-memory.dmp

memory/1548-14-0x0000000006BC0000-0x0000000006C52000-memory.dmp

memory/1548-15-0x0000000007BD0000-0x0000000008176000-memory.dmp

memory/1548-16-0x0000000006CE0000-0x0000000006D56000-memory.dmp

memory/1548-17-0x0000000006C90000-0x0000000006CAE000-memory.dmp

memory/1548-18-0x0000000006E20000-0x0000000006E70000-memory.dmp

memory/1548-21-0x00000000745C0000-0x0000000074D71000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 23:14

Reported

2024-04-08 23:16

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe

"C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4400 -ip 4400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A