Malware Analysis Report

2025-03-15 04:59

Sample ID 240713-prwl6s1blk
Target cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4
SHA256 cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4
Tags
redline tpb-activator infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4

Threat Level: Known bad

The file cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4 was found to be: Known bad.

Malicious Activity Summary

redline tpb-activator infostealer

RedLine

RedLine payload

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-13 12:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 12:34

Reported

2024-07-13 12:36

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2888 set thread context of 4076 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe

"C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 udp

Files

memory/2888-0-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp

memory/2888-1-0x0000000000E40000-0x00000000010A0000-memory.dmp

memory/2888-2-0x0000000005F60000-0x0000000006504000-memory.dmp

memory/2888-3-0x0000000005BF0000-0x0000000005C82000-memory.dmp

memory/2888-4-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp

memory/2888-5-0x0000000005E20000-0x0000000005E2A000-memory.dmp

memory/2888-6-0x0000000006800000-0x0000000006A04000-memory.dmp

memory/2888-8-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-18-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-66-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-70-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-68-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-64-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-62-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-58-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-56-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-54-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-52-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-50-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-48-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-44-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-60-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-46-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-42-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-38-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-36-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-34-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-32-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-30-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-28-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-26-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-24-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-22-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-16-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-14-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-12-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-10-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-40-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-20-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-7-0x0000000006800000-0x00000000069FD000-memory.dmp

memory/2888-13461-0x0000000006B30000-0x0000000006B52000-memory.dmp

memory/2888-13462-0x0000000006BD0000-0x0000000006F24000-memory.dmp

memory/2888-13463-0x000000003F5B0000-0x000000003F616000-memory.dmp

memory/2888-13466-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp

memory/4076-13468-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp

memory/4076-13469-0x0000000000F70000-0x0000000000F76000-memory.dmp

memory/4076-13467-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4076-13470-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp

memory/4076-13471-0x00000000056E0000-0x0000000005CF8000-memory.dmp

memory/4076-13472-0x0000000005100000-0x0000000005112000-memory.dmp

memory/4076-13473-0x0000000005230000-0x000000000533A000-memory.dmp

memory/4076-13474-0x0000000005160000-0x000000000519C000-memory.dmp

memory/4076-13475-0x00000000051B0000-0x00000000051FC000-memory.dmp

memory/4076-13476-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-13 12:34

Reported

2024-07-13 12:36

Platform

win11-20240709-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 644 set thread context of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 644 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe

"C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 amrican-sport-live-stream.cc udp

Files

memory/644-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

memory/644-1-0x0000000000FB0000-0x0000000001210000-memory.dmp

memory/644-2-0x0000000006190000-0x0000000006736000-memory.dmp

memory/644-3-0x0000000005E00000-0x0000000005E92000-memory.dmp

memory/644-4-0x0000000005DF0000-0x0000000005DFA000-memory.dmp

memory/644-5-0x0000000074B70000-0x0000000075321000-memory.dmp

memory/644-6-0x0000000006A30000-0x0000000006C34000-memory.dmp

memory/644-12-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-14-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-32-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-10-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-24-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-8-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-7-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-34-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-64-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-66-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-70-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-68-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-62-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-60-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-58-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-56-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-54-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-52-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-50-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-48-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-46-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-44-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-42-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-41-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-38-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-36-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-30-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-28-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-26-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-22-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-20-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-18-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-16-0x0000000006A30000-0x0000000006C2D000-memory.dmp

memory/644-13461-0x0000000006D50000-0x0000000006D72000-memory.dmp

memory/644-13462-0x0000000006DF0000-0x0000000007147000-memory.dmp

memory/644-13463-0x000000003FE30000-0x000000003FE96000-memory.dmp

memory/1848-13466-0x0000000000400000-0x0000000000444000-memory.dmp

memory/644-13467-0x0000000074B70000-0x0000000075321000-memory.dmp

memory/1848-13468-0x0000000074B70000-0x0000000075321000-memory.dmp

memory/1848-13469-0x00000000028A0000-0x00000000028A6000-memory.dmp

memory/1848-13470-0x0000000074B70000-0x0000000075321000-memory.dmp

memory/1848-13471-0x00000000057E0000-0x0000000005DF8000-memory.dmp

memory/1848-13472-0x0000000004F80000-0x0000000004F92000-memory.dmp

memory/1848-13473-0x00000000052D0000-0x00000000053DA000-memory.dmp

memory/1848-13474-0x0000000005200000-0x000000000523C000-memory.dmp

memory/1848-13475-0x0000000005250000-0x000000000529C000-memory.dmp

memory/1848-13476-0x0000000074B70000-0x0000000075321000-memory.dmp

memory/1848-13477-0x0000000074B70000-0x0000000075321000-memory.dmp