Malware Analysis Report

2025-01-22 09:21

Sample ID 240706-cjebpssfmp
Target cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6.exe
SHA256 cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6e1db055e30dc27e9baf
Tags
redline crackcloud infostealer discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6e1db055e30dc27e9baf

Threat Level: Known bad

The file cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6.exe was found to be: Known bad.

Malicious Activity Summary

redline crackcloud infostealer discovery spyware stealer

RedLine

RedLine payload

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 02:06

Reported

2024-07-06 02:09

Platform

win7-20240704-en

Max time kernel

54s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6.exe

"C:\Users\Admin\AppData\Local\Temp\cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1512 -s 720

Network

Country Destination Domain Proto
NL 94.156.67.140:31957 tcp

Files

memory/1512-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1512-1-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1512-2-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

memory/1512-3-0x0000000000290000-0x00000000002E0000-memory.dmp

memory/1512-4-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

memory/1512-5-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

memory/1512-6-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

memory/1512-7-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

memory/1512-8-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

memory/1512-9-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 02:06

Reported

2024-07-06 02:08

Platform

win10v2004-20240704-en

Max time kernel

92s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6.exe

"C:\Users\Admin\AppData\Local\Temp\cc03430547aeb57a48bea8b42166aa5d67fa03097c8e6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 94.156.67.140:31957 tcp
US 8.8.8.8:53 140.67.156.94.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/1384-0-0x0000027859C10000-0x0000027859C11000-memory.dmp

memory/1384-2-0x00007FFD5A143000-0x00007FFD5A145000-memory.dmp

memory/1384-1-0x0000027858120000-0x0000027858121000-memory.dmp

memory/1384-3-0x0000027859AC0000-0x0000027859B10000-memory.dmp

memory/1384-4-0x00007FFD5A140000-0x00007FFD5AC01000-memory.dmp

memory/1384-5-0x00007FFD5A140000-0x00007FFD5AC01000-memory.dmp

memory/1384-6-0x0000027872B60000-0x0000027872C6A000-memory.dmp

memory/1384-7-0x0000027859BE0000-0x0000027859BF2000-memory.dmp

memory/1384-8-0x0000027859D90000-0x0000027859DCC000-memory.dmp

memory/1384-9-0x0000027872C70000-0x0000027872E19000-memory.dmp

memory/1384-10-0x0000027872690000-0x00000278726E0000-memory.dmp

memory/1384-11-0x0000027873710000-0x00000278738D2000-memory.dmp

memory/1384-12-0x0000027873E10000-0x0000027874338000-memory.dmp

memory/1384-13-0x00007FFD5A143000-0x00007FFD5A145000-memory.dmp

memory/1384-14-0x00007FFD5A140000-0x00007FFD5AC01000-memory.dmp

memory/1384-15-0x00007FFD5A140000-0x00007FFD5AC01000-memory.dmp

memory/1384-17-0x00007FFD5A140000-0x00007FFD5AC01000-memory.dmp