Malware Analysis Report

2025-01-22 09:16

Sample ID 240707-tpwllsxejd
Target main.exe
SHA256 6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff
Tags
redline @nmrzv88 infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6bc77deea74bc979a027e31d1a3afb594417c8fc366626f538b64a26d6f29fff

Threat Level: Known bad

The file main.exe was found to be: Known bad.

Malicious Activity Summary

redline @nmrzv88 infostealer

RedLine

RedLine payload

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-07 16:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-07 16:14

Reported

2024-07-07 16:15

Platform

win11-20240508-en

Max time kernel

22s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2556 set thread context of 2608 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
NL 94.228.166.68:80 tcp

Files

memory/2556-0-0x000000007518E000-0x000000007518F000-memory.dmp

memory/2556-1-0x00000000000D0000-0x000000000014E000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 ac5eeb006d2b590f66ae7e69174d5f3a
SHA1 2331f0fc6f14c8bbd6a176927af84f95a946a638
SHA256 9af40752470f3a82a4bb166558f0f5492269a30402458cf11af084f841cb4c49
SHA512 4aff61122e0a1ebd25bd73fc9aea3272b82cb544310e243d4396c6cf9246d4b9d808e523b1a34e38ad5c41a04a6e4a6333eb62cef6d85ba5562bb36593fff443

memory/2608-8-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2556-10-0x0000000077D71000-0x0000000077E93000-memory.dmp

memory/2608-11-0x0000000005B30000-0x00000000060D6000-memory.dmp

memory/2556-12-0x0000000075180000-0x0000000075931000-memory.dmp

memory/2608-13-0x0000000005620000-0x00000000056B2000-memory.dmp

memory/2608-14-0x0000000075180000-0x0000000075931000-memory.dmp

memory/2608-15-0x0000000005600000-0x000000000560A000-memory.dmp

memory/2608-16-0x0000000075180000-0x0000000075931000-memory.dmp

memory/2608-17-0x0000000006AC0000-0x00000000070D8000-memory.dmp

memory/2608-18-0x0000000008390000-0x000000000849A000-memory.dmp

memory/2608-19-0x0000000006AA0000-0x0000000006AB2000-memory.dmp

memory/2608-20-0x0000000008300000-0x000000000833C000-memory.dmp

memory/2608-21-0x00000000084A0000-0x00000000084EC000-memory.dmp

memory/2556-22-0x0000000075180000-0x0000000075931000-memory.dmp

memory/2608-23-0x0000000075180000-0x0000000075931000-memory.dmp