Malware Analysis Report

2025-01-22 09:19

Sample ID 240707-bvvbmazdnl
Target 0970456d2e2bcb36f49d23f5f2eec4ce.bin
SHA256 c0cbd3727926b4ed773615f88cb831e7582ec9c670f07d85d9bb7fd981cf6fb8
Tags
redline newlogs infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0cbd3727926b4ed773615f88cb831e7582ec9c670f07d85d9bb7fd981cf6fb8

Threat Level: Known bad

The file 0970456d2e2bcb36f49d23f5f2eec4ce.bin was found to be: Known bad.

Malicious Activity Summary

redline newlogs infostealer

RedLine

RedLine payload

Redline family

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-07 01:28

Signatures

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-07 01:28

Reported

2024-07-07 01:45

Platform

win10v2004-20240704-en

Max time kernel

144s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54.exe

"C:\Users\Admin\AppData\Local\Temp\264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4104,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 85.28.47.7:17210 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
RU 85.28.47.7:17210 tcp
RU 85.28.47.7:17210 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 85.28.47.7:17210 tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
RU 85.28.47.7:17210 tcp
RU 85.28.47.7:17210 tcp

Files

memory/2076-0-0x000000007473E000-0x000000007473F000-memory.dmp

memory/2076-1-0x0000000000020000-0x0000000000070000-memory.dmp

memory/2076-2-0x0000000004F60000-0x0000000005504000-memory.dmp

memory/2076-3-0x0000000004A60000-0x0000000004AF2000-memory.dmp

memory/2076-4-0x0000000004C30000-0x0000000004C3A000-memory.dmp

memory/2076-5-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/2076-6-0x0000000005B30000-0x0000000006148000-memory.dmp

memory/2076-7-0x0000000004DD0000-0x0000000004EDA000-memory.dmp

memory/2076-8-0x0000000004D00000-0x0000000004D12000-memory.dmp

memory/2076-9-0x0000000004D60000-0x0000000004D9C000-memory.dmp

memory/2076-10-0x0000000004EE0000-0x0000000004F2C000-memory.dmp

memory/2076-11-0x000000007473E000-0x000000007473F000-memory.dmp

memory/2076-12-0x0000000074730000-0x0000000074EE0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-07 01:28

Reported

2024-07-07 01:43

Platform

win7-20240220-en

Max time kernel

133s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54.exe

"C:\Users\Admin\AppData\Local\Temp\264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54.exe"

Network

Country Destination Domain Proto
RU 85.28.47.7:17210 tcp
RU 85.28.47.7:17210 tcp
RU 85.28.47.7:17210 tcp
RU 85.28.47.7:17210 tcp
RU 85.28.47.7:17210 tcp
RU 85.28.47.7:17210 tcp

Files

memory/2432-0-0x000000007443E000-0x000000007443F000-memory.dmp

memory/2432-1-0x0000000000DE0000-0x0000000000E30000-memory.dmp

memory/2432-2-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2432-3-0x000000007443E000-0x000000007443F000-memory.dmp

memory/2432-4-0x0000000074430000-0x0000000074B1E000-memory.dmp