Malware Analysis Report

2025-03-15 04:59

Sample ID 240713-prw8ps1blm
Target 37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af
SHA256 37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af
Tags
redline limetorrents infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af

Threat Level: Known bad

The file 37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af was found to be: Known bad.

Malicious Activity Summary

redline limetorrents infostealer

RedLine

RedLine payload

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-13 12:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 12:34

Reported

2024-07-13 12:36

Platform

win10v2004-20240709-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4704 set thread context of 4204 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe

"C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp

Files

memory/4704-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/4704-1-0x0000000000B50000-0x0000000000D82000-memory.dmp

memory/4704-2-0x0000000005C40000-0x00000000061E4000-memory.dmp

memory/4704-3-0x0000000005960000-0x00000000059F2000-memory.dmp

memory/4704-4-0x00000000058B0000-0x00000000058BA000-memory.dmp

memory/4704-5-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/4704-6-0x00000000064F0000-0x00000000066C4000-memory.dmp

memory/4704-14-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-8-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-20-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-54-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-62-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-70-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-68-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-66-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-64-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-60-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-58-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-56-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-50-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-48-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-46-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-44-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-42-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-40-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-38-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-52-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-36-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-32-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-30-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-28-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-26-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-18-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-16-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-12-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-10-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-34-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-24-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-22-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-7-0x00000000064F0000-0x00000000066BE000-memory.dmp

memory/4704-12417-0x0000000005C10000-0x0000000005C32000-memory.dmp

memory/4704-12418-0x0000000006890000-0x0000000006BE4000-memory.dmp

memory/4704-12419-0x000000003D3B0000-0x000000003D416000-memory.dmp

memory/4204-12422-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4204-12424-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/4704-12423-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/4204-12425-0x0000000002D20000-0x0000000002D26000-memory.dmp

memory/4204-12426-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/4204-12427-0x0000000005B00000-0x0000000006118000-memory.dmp

memory/4204-12428-0x0000000005520000-0x0000000005532000-memory.dmp

memory/4204-12429-0x0000000005650000-0x000000000575A000-memory.dmp

memory/4204-12430-0x0000000005580000-0x00000000055BC000-memory.dmp

memory/4204-12431-0x00000000055E0000-0x000000000562C000-memory.dmp

memory/4204-12432-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/4204-12433-0x00000000749B0000-0x0000000075160000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-13 12:34

Reported

2024-07-13 12:36

Platform

win11-20240709-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1576 set thread context of 1180 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe

"C:\Users\Admin\AppData\Local\Temp\37586dafcc6c040199746a3696e5bdc64701e3afbad58da6612bc134b8f785af.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1576-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

memory/1576-1-0x0000000000560000-0x0000000000792000-memory.dmp

memory/1576-2-0x0000000005650000-0x0000000005BF6000-memory.dmp

memory/1576-3-0x0000000005250000-0x00000000052E2000-memory.dmp

memory/1576-4-0x00000000055B0000-0x00000000055BA000-memory.dmp

memory/1576-5-0x00000000750B0000-0x0000000075861000-memory.dmp

memory/1576-6-0x0000000005E10000-0x0000000005FE4000-memory.dmp

memory/1576-16-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-20-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-48-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-58-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-56-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-54-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-52-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-50-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-42-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-40-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-38-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-36-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-46-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-44-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-34-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-32-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-30-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-28-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-26-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-24-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-18-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-14-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-12-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-10-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-8-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-22-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-7-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-70-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-68-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-66-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-64-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-62-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-60-0x0000000005E10000-0x0000000005FDE000-memory.dmp

memory/1576-7761-0x00000000750BE000-0x00000000750BF000-memory.dmp

memory/1576-8580-0x00000000750B0000-0x0000000075861000-memory.dmp

memory/1576-12419-0x0000000006140000-0x0000000006162000-memory.dmp

memory/1576-12420-0x0000000006210000-0x0000000006567000-memory.dmp

memory/1576-12421-0x0000000040600000-0x0000000040666000-memory.dmp

memory/1180-12426-0x00000000750B0000-0x0000000075861000-memory.dmp

memory/1576-12425-0x00000000750B0000-0x0000000075861000-memory.dmp

memory/1180-12424-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1180-12427-0x0000000002CA0000-0x0000000002CA6000-memory.dmp

memory/1180-12428-0x00000000750B0000-0x0000000075861000-memory.dmp

memory/1180-12429-0x000000000B110000-0x000000000B728000-memory.dmp

memory/1180-12430-0x000000000ABA0000-0x000000000ABB2000-memory.dmp

memory/1180-12431-0x000000000ACD0000-0x000000000ADDA000-memory.dmp

memory/1180-12432-0x000000000AC00000-0x000000000AC3C000-memory.dmp

memory/1180-12433-0x0000000002C10000-0x0000000002C5C000-memory.dmp

memory/1180-12434-0x00000000750B0000-0x0000000075861000-memory.dmp

memory/1180-12435-0x00000000750B0000-0x0000000075861000-memory.dmp