Malware Analysis Report

2025-03-15 04:59

Sample ID 240713-n5dsvazcpj
Target 644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d
SHA256 644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d
Tags
redline tpb-with-async infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d

Threat Level: Known bad

The file 644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d was found to be: Known bad.

Malicious Activity Summary

redline tpb-with-async infostealer

RedLine

RedLine payload

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-13 11:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 11:58

Reported

2024-07-13 12:01

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4264 set thread context of 3640 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe

"C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp

Files

memory/4264-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/4264-1-0x00000000003A0000-0x00000000005A8000-memory.dmp

memory/4264-2-0x0000000004EB0000-0x0000000004FB0000-memory.dmp

memory/4264-12-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-14-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-66-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-64-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-60-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-58-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-56-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-54-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-52-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-48-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-46-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-44-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-42-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-40-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-36-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-34-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-32-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-30-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-28-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-26-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-24-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-22-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-20-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-16-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-10-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-8-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-62-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-50-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-38-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-4-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-18-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-3-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-6-0x0000000004EB0000-0x0000000004FAA000-memory.dmp

memory/4264-2443-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4264-2444-0x0000000005180000-0x0000000005212000-memory.dmp

memory/4264-2445-0x0000000005210000-0x0000000005232000-memory.dmp

memory/4264-2446-0x00000000054E0000-0x0000000005834000-memory.dmp

memory/4264-2447-0x00000000052E0000-0x0000000005346000-memory.dmp

memory/4264-2448-0x0000000033CB0000-0x0000000033D42000-memory.dmp

memory/4264-2449-0x0000000034300000-0x00000000348A4000-memory.dmp

memory/3640-2452-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4264-2453-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/3640-2455-0x0000000002880000-0x0000000002886000-memory.dmp

memory/3640-2454-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/3640-2456-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/3640-2457-0x0000000005870000-0x0000000005E88000-memory.dmp

memory/3640-2458-0x0000000005360000-0x000000000546A000-memory.dmp

memory/3640-2459-0x0000000005290000-0x00000000052A2000-memory.dmp

memory/3640-2460-0x00000000052F0000-0x000000000532C000-memory.dmp

memory/3640-2461-0x0000000005470000-0x00000000054BC000-memory.dmp

memory/3640-2462-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/3640-2463-0x0000000074BC0000-0x0000000075370000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-13 11:58

Reported

2024-07-13 12:01

Platform

win11-20240709-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4584 set thread context of 5104 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4584 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4584 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4584 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4584 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4584 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4584 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4584 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe

"C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp

Files

memory/4584-0-0x000000007511E000-0x000000007511F000-memory.dmp

memory/4584-1-0x0000000000710000-0x0000000000918000-memory.dmp

memory/4584-2-0x0000000005330000-0x0000000005430000-memory.dmp

memory/4584-35-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-12-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-66-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-60-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-58-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-56-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-54-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-52-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-50-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-48-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-46-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-44-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-43-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-38-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-36-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-32-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-28-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-26-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-25-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-22-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-20-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-18-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-16-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-14-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-10-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-8-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-6-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-64-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-62-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-40-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-30-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-4-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-3-0x0000000005330000-0x000000000542A000-memory.dmp

memory/4584-2443-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/4584-2444-0x0000000005540000-0x00000000055D2000-memory.dmp

memory/4584-2445-0x0000000005610000-0x0000000005632000-memory.dmp

memory/4584-2446-0x0000000005910000-0x0000000005C67000-memory.dmp

memory/4584-2447-0x0000000005710000-0x0000000005776000-memory.dmp

memory/4584-2448-0x00000000310D0000-0x0000000031162000-memory.dmp

memory/4584-2449-0x0000000031720000-0x0000000031CC6000-memory.dmp

memory/4584-2453-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/5104-2455-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/5104-2454-0x0000000002990000-0x0000000002996000-memory.dmp

memory/5104-2452-0x0000000000400000-0x0000000000460000-memory.dmp

memory/5104-2456-0x0000000005810000-0x0000000005E28000-memory.dmp

memory/5104-2457-0x0000000005360000-0x000000000546A000-memory.dmp

memory/5104-2458-0x0000000005290000-0x00000000052A2000-memory.dmp

memory/5104-2459-0x00000000052F0000-0x000000000532C000-memory.dmp

memory/5104-2460-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/5104-2461-0x0000000005470000-0x00000000054BC000-memory.dmp

memory/5104-2462-0x0000000075110000-0x00000000758C1000-memory.dmp

memory/5104-2463-0x0000000075110000-0x00000000758C1000-memory.dmp