Malware Analysis Report

2025-01-22 09:23

Sample ID 240704-2j6hmatbml
Target 64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f
SHA256 64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f
Tags
redline infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f

Threat Level: Known bad

The file 64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f was found to be: Known bad.

Malicious Activity Summary

redline infostealer spyware

RedLine payload

RedLine

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 22:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 22:37

Reported

2024-07-04 22:42

Platform

win7-20240704-en

Max time kernel

237s

Max time network

238s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe

"C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe"

Network

N/A

Files

memory/3008-0-0x00000000747FE000-0x00000000747FF000-memory.dmp

memory/3008-1-0x0000000001230000-0x0000000001294000-memory.dmp

memory/3008-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 855707da714f67eb0a60d2b850cef20f
SHA1 df8ef101ba0bd2881472d488ef164496b9781ad0
SHA256 632f9b221e4f92282ccdd5a0a76039a14f5838e1cdace8e99dd8d81e95bc6bfb
SHA512 3896fdc1932b1a05dd14ad99885c9f05fe858fd9c01356bccc5e746072425a053478b5c5b6cd42f1b46c2bf3d99614f5fded345a351c8d7990636b2dbfe96a27

memory/3008-7-0x0000000076EE0000-0x0000000076FA1000-memory.dmp

memory/3008-8-0x00000000747F0000-0x0000000074EDE000-memory.dmp

memory/3008-9-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 22:37

Reported

2024-07-04 22:42

Platform

win10-20240404-en

Max time kernel

195s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4512 set thread context of 960 N/A C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe

"C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
RU 77.91.77.6:24186 tcp
US 8.8.8.8:53 6.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4512-0-0x000000007377E000-0x000000007377F000-memory.dmp

memory/4512-1-0x0000000000620000-0x0000000000684000-memory.dmp

memory/4512-2-0x0000000002820000-0x0000000002826000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 855707da714f67eb0a60d2b850cef20f
SHA1 df8ef101ba0bd2881472d488ef164496b9781ad0
SHA256 632f9b221e4f92282ccdd5a0a76039a14f5838e1cdace8e99dd8d81e95bc6bfb
SHA512 3896fdc1932b1a05dd14ad99885c9f05fe858fd9c01356bccc5e746072425a053478b5c5b6cd42f1b46c2bf3d99614f5fded345a351c8d7990636b2dbfe96a27

memory/960-9-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4512-12-0x0000000077531000-0x0000000077644000-memory.dmp

memory/4512-11-0x0000000074E10000-0x0000000074E70000-memory.dmp

memory/960-15-0x0000000073770000-0x0000000073E5E000-memory.dmp

memory/960-14-0x0000000005530000-0x0000000005A2E000-memory.dmp

memory/4512-13-0x0000000073770000-0x0000000073E5E000-memory.dmp

memory/960-16-0x0000000005030000-0x00000000050C2000-memory.dmp

memory/960-17-0x0000000005000000-0x000000000500A000-memory.dmp

memory/960-18-0x0000000073770000-0x0000000073E5E000-memory.dmp

memory/960-19-0x0000000006040000-0x0000000006646000-memory.dmp

memory/960-20-0x00000000053E0000-0x00000000054EA000-memory.dmp

memory/960-21-0x0000000005260000-0x0000000005272000-memory.dmp

memory/960-22-0x00000000052C0000-0x00000000052FE000-memory.dmp

memory/960-23-0x0000000005300000-0x000000000534B000-memory.dmp

memory/960-24-0x0000000005AD0000-0x0000000005B36000-memory.dmp

memory/960-25-0x00000000077E0000-0x00000000079A2000-memory.dmp

memory/960-26-0x0000000007EE0000-0x000000000840C000-memory.dmp

memory/960-27-0x0000000006AC0000-0x0000000006B10000-memory.dmp

memory/960-29-0x0000000073770000-0x0000000073E5E000-memory.dmp

memory/4512-30-0x0000000073770000-0x0000000073E5E000-memory.dmp