Malware Analysis Report

2025-01-22 09:08

Sample ID 240520-mdtvbafh2y
Target DisableFamiliesViewSteam.rar
SHA256 8624da9141750c81f59048be74be5682cdeffa370a581f04ed54a2160d1dda48
Tags
redline infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8624da9141750c81f59048be74be5682cdeffa370a581f04ed54a2160d1dda48

Threat Level: Known bad

The file DisableFamiliesViewSteam.rar was found to be: Known bad.

Malicious Activity Summary

redline infostealer spyware

RedLine payload

RedLine

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 10:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 10:21

Reported

2024-05-20 10:21

Platform

win10v2004-20240426-en

Max time kernel

7s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1223.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mowgang.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1223.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 216 set thread context of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4820 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe C:\Users\Admin\AppData\Local\Temp\1223.exe
PID 4820 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe C:\Users\Admin\AppData\Local\Temp\1223.exe
PID 4820 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe C:\Users\Admin\AppData\Local\Temp\1223.exe
PID 4820 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe C:\Users\Admin\AppData\Local\Temp\mowgang.exe
PID 4820 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe C:\Users\Admin\AppData\Local\Temp\mowgang.exe
PID 4820 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe C:\Users\Admin\AppData\Local\Temp\mowgang.exe
PID 216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe

"C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe"

C:\Users\Admin\AppData\Local\Temp\1223.exe

"C:\Users\Admin\AppData\Local\Temp\1223.exe"

C:\Users\Admin\AppData\Local\Temp\mowgang.exe

"C:\Users\Admin\AppData\Local\Temp\mowgang.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
RU 89.23.100.72:21038 tcp
US 8.8.8.8:53 72.100.23.89.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\1223.exe

MD5 3aee694d5be41a350239eecd6efc8a96
SHA1 54a1e0c86ea5d97d4dd9916115b25a674d8e161e
SHA256 443cab0cea8162a275ffae4e511afb653e1ae558f81d5d9401253b48c99a2052
SHA512 aa6d71f3d92e42da0a32bc70514893938440f18d8ffa1773dff9aa594c81edc12bade432480ac3022666dc4a67f8f25884515fe9e2e668f20eade4f6870f9036

C:\Users\Admin\AppData\Local\Temp\mowgang.exe

MD5 70f5712af69e43e691a6adef7f971f6b
SHA1 326dbcbd77dbe38fd938684f2a506b9bf8dcdfd7
SHA256 64a25f655a4280eebfafb1df35fe8dcf19962438987a5cf6dfcfb444ab7b54af
SHA512 b3eac71db8faddb98bb8138e6e351c799e168ecb7077f98b0ecfac8087e771b61a3fe631a1b0f451077160442ba6a46960c4aa4f3324c37e05ea29f7e13f113f

memory/216-20-0x0000000072E5E000-0x0000000072E5F000-memory.dmp

memory/3512-22-0x0000000000400000-0x0000000000422000-memory.dmp

memory/216-23-0x0000000000C20000-0x0000000001340000-memory.dmp

memory/216-24-0x00000000055C0000-0x00000000055C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 878014e9987f80f6c50801b67aaf040c
SHA1 03bfaab4f356a60e79c757bafac22738c0e6a95e
SHA256 1af5766f944c2bc06ede847876a50190def6cb3959e6620162028badf122162b
SHA512 b71e5e512cd57a9a3c12a8d006b05e611d7215de16f6994166469fd8a01349eaaa9924cf029d955db5d99a00522c21fab588e13e4ff9add702da8d411f187ff0

memory/2772-30-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2772-32-0x0000000072E50000-0x0000000073600000-memory.dmp

memory/2772-33-0x0000000005F10000-0x00000000064B4000-memory.dmp

memory/2772-34-0x0000000005840000-0x00000000058D2000-memory.dmp

memory/2772-35-0x0000000072E50000-0x0000000073600000-memory.dmp

memory/2772-36-0x00000000034E0000-0x00000000034EA000-memory.dmp

memory/2772-37-0x0000000008A80000-0x0000000009098000-memory.dmp

memory/2772-38-0x0000000008700000-0x000000000880A000-memory.dmp

memory/2772-39-0x0000000008650000-0x0000000008662000-memory.dmp

memory/2772-40-0x00000000086B0000-0x00000000086EC000-memory.dmp

memory/2772-41-0x0000000008810000-0x000000000885C000-memory.dmp

memory/2772-42-0x00000000089B0000-0x0000000008A16000-memory.dmp

memory/2772-43-0x0000000009320000-0x0000000009396000-memory.dmp

memory/2772-44-0x00000000092A0000-0x00000000092BE000-memory.dmp

memory/2772-45-0x0000000009A00000-0x0000000009BC2000-memory.dmp

memory/2772-46-0x000000000A8B0000-0x000000000ADDC000-memory.dmp