Malware Analysis Report

2025-03-15 04:39

Sample ID 240515-kpajpshf5t
Target FF 777v2.rar
SHA256 1f6ea88eaaa558d0384646b4b08df371fb1a45a8e8640e6587c2051b6618ffb7
Tags
redline 642876484_99 infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f6ea88eaaa558d0384646b4b08df371fb1a45a8e8640e6587c2051b6618ffb7

Threat Level: Known bad

The file FF 777v2.rar was found to be: Known bad.

Malicious Activity Summary

redline 642876484_99 infostealer spyware

RedLine payload

RedLine

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 08:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-15 08:46

Reported

2024-05-15 08:48

Platform

win10v2004-20240426-en

Max time kernel

62s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3984 set thread context of 1412 N/A C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3984 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3984 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3984 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3984 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3984 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3984 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3984 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe

"C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\FlightFactor Manager.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 notcoinz.top udp
FI 95.217.242.180:3306 notcoinz.top tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 180.242.217.95.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp

Files

memory/3984-0-0x000000007474E000-0x000000007474F000-memory.dmp

memory/3984-1-0x00000000009D0000-0x0000000000A68000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 ad87b00856b26942f6cd0decd2c453d0
SHA1 4f342d942e5db016ee01bbffada31b4b11d09991
SHA256 8cba4c6c99d0882c72eaba3724253e57c8071ff358ac4065ba2ee229f0307168
SHA512 2f19d8ab00566d54692ffa42880dc2610bfde24dad2469dd59957c6caef5b215ade45c435f401bc0796a003b80949e8d7383572099cb6fa438f7afdc8892a7c4

memory/1412-7-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1412-9-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/1412-10-0x00000000052D0000-0x0000000005336000-memory.dmp

memory/1412-11-0x0000000005E50000-0x0000000006468000-memory.dmp

memory/1412-12-0x00000000058A0000-0x00000000058B2000-memory.dmp

memory/1412-13-0x00000000059D0000-0x0000000005ADA000-memory.dmp

memory/1412-14-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/1412-15-0x00000000066B0000-0x00000000066EC000-memory.dmp

memory/1412-16-0x00000000066F0000-0x000000000673C000-memory.dmp

memory/1412-17-0x0000000006A10000-0x0000000006BD2000-memory.dmp

memory/1412-18-0x0000000007110000-0x000000000763C000-memory.dmp

memory/1412-19-0x0000000006BE0000-0x0000000006C72000-memory.dmp

memory/1412-20-0x0000000007BF0000-0x0000000008194000-memory.dmp

memory/1412-21-0x0000000006C80000-0x0000000006CF6000-memory.dmp

memory/1412-22-0x00000000069F0000-0x0000000006A0E000-memory.dmp

memory/1412-23-0x0000000006E00000-0x0000000006E50000-memory.dmp

memory/1412-25-0x0000000074740000-0x0000000074EF0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-15 08:46

Reported

2024-05-15 08:48

Platform

win10v2004-20240508-en

Max time kernel

46s

Max time network

34s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\Installation.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\Installation.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 08:46

Reported

2024-05-15 08:49

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\FF 777v2.rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\FF 777v2.rar"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 08:46

Reported

2024-05-15 08:48

Platform

win10v2004-20240426-en

Max time kernel

71s

Max time network

73s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\777-1.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\777-1.png"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.59:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
NL 23.62.61.59:443 www.bing.com tcp
US 8.8.8.8:53 59.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-15 08:46

Reported

2024-05-15 08:48

Platform

win10v2004-20240426-en

Max time kernel

64s

Max time network

68s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\777-2.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\777-2.png"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-15 08:46

Reported

2024-05-15 08:48

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

98s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\777-3.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\777-3.png"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-15 08:46

Reported

2024-05-15 08:48

Platform

win10v2004-20240508-en

Max time kernel

32s

Max time network

34s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\777-4.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\FlightFactor 777 v2 (dev)\777-4.png"

Network

Country Destination Domain Proto
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

N/A