Malware Analysis Report

2025-01-22 09:22

Sample ID 240706-jhjy5a1clp
Target Raven.exe
SHA256 a469cb5ec9ad6345d3542c24edeec932de343bb72a131796bb607a133b2ddaea
Tags
redline 7182038265_99 infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a469cb5ec9ad6345d3542c24edeec932de343bb72a131796bb607a133b2ddaea

Threat Level: Known bad

The file Raven.exe was found to be: Known bad.

Malicious Activity Summary

redline 7182038265_99 infostealer spyware

RedLine

RedLine payload

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 07:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 07:40

Reported

2024-07-06 07:42

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Raven.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Raven.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2948 set thread context of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Raven.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Raven.exe

"C:\Users\Admin\AppData\Local\Temp\Raven.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 ko.spuu.top udp
FI 95.217.245.123:443 ko.spuu.top tcp
US 8.8.8.8:53 123.245.217.95.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2948-0-0x000000007483E000-0x000000007483F000-memory.dmp

memory/2948-1-0x00000000003F0000-0x0000000000498000-memory.dmp

memory/2948-2-0x0000000004EC0000-0x0000000004EC6000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 78de334caeb1f9847086897ff97f9ad9
SHA1 5d0875af69c37e1e8778ef1f4367bba18de19241
SHA256 2b6327070dd42a5fe902217e7a736094adaf2e8316d822f546fb209bd010b326
SHA512 f7b3e268425631b27f06c7f0acb9293432feefb00fd14b89d85e8495b6ffeae2b99819c0c0b94fba71a3a5f9097ec1dd8455a4583b3ccffb1a2b9211890fbe8a

memory/2276-9-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2948-12-0x00000000772D1000-0x00000000773F1000-memory.dmp

memory/2276-13-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2948-11-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2276-14-0x0000000005260000-0x00000000052C6000-memory.dmp

memory/2948-15-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2276-16-0x0000000005D30000-0x0000000006348000-memory.dmp

memory/2276-17-0x0000000005780000-0x0000000005792000-memory.dmp

memory/2276-18-0x00000000058B0000-0x00000000059BA000-memory.dmp

memory/2276-19-0x00000000066D0000-0x000000000670C000-memory.dmp

memory/2276-20-0x0000000006710000-0x000000000675C000-memory.dmp

memory/2276-21-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2276-22-0x0000000006A30000-0x0000000006BF2000-memory.dmp

memory/2276-23-0x0000000007130000-0x000000000765C000-memory.dmp

memory/2276-24-0x0000000006C00000-0x0000000006C92000-memory.dmp

memory/2276-25-0x0000000007C10000-0x00000000081B4000-memory.dmp

memory/2276-26-0x0000000006D20000-0x0000000006D96000-memory.dmp

memory/2276-27-0x0000000006D00000-0x0000000006D1E000-memory.dmp

memory/2276-28-0x0000000006F90000-0x0000000006FE0000-memory.dmp

memory/2276-30-0x0000000074830000-0x0000000074FE0000-memory.dmp