Malware Analysis Report

2025-03-15 04:55

Sample ID 240713-1fwnkszhkd
Target D5A7AFAA7CC3C7DC5E19665034A32512.exe
SHA256 9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370
Tags
redline 6464132328_99 infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370

Threat Level: Known bad

The file D5A7AFAA7CC3C7DC5E19665034A32512.exe was found to be: Known bad.

Malicious Activity Summary

redline 6464132328_99 infostealer spyware

RedLine payload

RedLine

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-13 21:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-13 21:36

Reported

2024-07-13 21:38

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3432 set thread context of 4980 N/A C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe

"C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 sp.joger.top udp
FI 95.217.245.123:3306 sp.joger.top tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 123.245.217.95.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/3432-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

memory/3432-1-0x0000000000CE0000-0x0000000000DBE000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 1f804181133345524e018243d5ad2610
SHA1 482ff64943006de93caea2671c854152203dd820
SHA256 e63e1a997fd7626c8f9d02137ab87f0c6fae00955daacaf20e4cbd89feda4e24
SHA512 a661abaa41b433282bc9d03c7f69c9c5b66b52d45d6561d79ee9faaa006988f2a7919daef71784c88508c8b944870924072485be8b1f04a60e6bcf07398f8701

memory/4980-8-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3432-10-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/4980-11-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/4980-12-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/4980-13-0x0000000006050000-0x0000000006668000-memory.dmp

memory/4980-14-0x0000000005A90000-0x0000000005AA2000-memory.dmp

memory/4980-15-0x0000000005BC0000-0x0000000005CCA000-memory.dmp

memory/4980-16-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/4980-17-0x0000000006870000-0x00000000068AC000-memory.dmp

memory/4980-18-0x00000000068B0000-0x00000000068FC000-memory.dmp

memory/4980-19-0x0000000006BF0000-0x0000000006DB2000-memory.dmp

memory/4980-20-0x00000000072F0000-0x000000000781C000-memory.dmp

memory/4980-21-0x0000000006DC0000-0x0000000006E52000-memory.dmp

memory/4980-22-0x0000000007DD0000-0x0000000008374000-memory.dmp

memory/4980-23-0x0000000006F40000-0x0000000006FB6000-memory.dmp

memory/4980-24-0x0000000006E80000-0x0000000006E9E000-memory.dmp

memory/4980-25-0x0000000007270000-0x00000000072C0000-memory.dmp

memory/4980-27-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/3432-28-0x0000000074F30000-0x00000000756E0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 21:36

Reported

2024-07-13 21:38

Platform

win7-20240705-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe

"C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe"

Network

N/A

Files

memory/2088-0-0x000000007498E000-0x000000007498F000-memory.dmp

memory/2088-1-0x0000000000B20000-0x0000000000BFE000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 1f804181133345524e018243d5ad2610
SHA1 482ff64943006de93caea2671c854152203dd820
SHA256 e63e1a997fd7626c8f9d02137ab87f0c6fae00955daacaf20e4cbd89feda4e24
SHA512 a661abaa41b433282bc9d03c7f69c9c5b66b52d45d6561d79ee9faaa006988f2a7919daef71784c88508c8b944870924072485be8b1f04a60e6bcf07398f8701

memory/2088-6-0x0000000075DD0000-0x0000000075E91000-memory.dmp