Malware Analysis Report

2025-03-15 04:59

Sample ID 240713-prwl6sshmg
Target 9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3
SHA256 9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3
Tags
redline torrentold infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3

Threat Level: Known bad

The file 9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3 was found to be: Known bad.

Malicious Activity Summary

redline torrentold infostealer

RedLine

RedLine payload

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-13 12:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 12:34

Reported

2024-07-13 12:36

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3520 set thread context of 1996 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3520 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3520 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3520 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3520 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3520 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3520 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3520 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3520 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3520 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3520 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe

"C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp

Files

memory/3520-0-0x000000007528E000-0x000000007528F000-memory.dmp

memory/3520-1-0x0000000000070000-0x00000000002BE000-memory.dmp

memory/3520-2-0x0000000005010000-0x00000000055B4000-memory.dmp

memory/3520-3-0x0000000004D20000-0x0000000004DB2000-memory.dmp

memory/3520-4-0x0000000004F10000-0x0000000004F1A000-memory.dmp

memory/3520-5-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/3520-6-0x00000000058B0000-0x0000000005A9E000-memory.dmp

memory/3520-26-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-54-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-40-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-30-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-24-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-58-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-70-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-68-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-66-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-64-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-62-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-60-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-56-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-52-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-50-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-48-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-46-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-44-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-42-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-38-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-36-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-34-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-32-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-28-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-22-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-20-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-18-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-16-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-14-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-12-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-10-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-7-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-8-0x00000000058B0000-0x0000000005A99000-memory.dmp

memory/3520-13161-0x0000000005C00000-0x0000000005C22000-memory.dmp

memory/3520-13162-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

memory/3520-13163-0x000000003C8D0000-0x000000003C936000-memory.dmp

memory/1996-13166-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3520-13167-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/1996-13168-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/1996-13169-0x0000000002860000-0x0000000002866000-memory.dmp

memory/1996-13170-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/1996-13171-0x000000000AD00000-0x000000000B318000-memory.dmp

memory/1996-13172-0x000000000A7A0000-0x000000000A7B2000-memory.dmp

memory/1996-13173-0x000000000A8D0000-0x000000000A9DA000-memory.dmp

memory/1996-13174-0x000000000A800000-0x000000000A83C000-memory.dmp

memory/1996-13175-0x00000000027D0000-0x000000000281C000-memory.dmp

memory/1996-13176-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/1996-13177-0x0000000075280000-0x0000000075A30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-13 12:34

Reported

2024-07-13 12:36

Platform

win11-20240709-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5612 set thread context of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5612 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5612 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5612 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5612 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5612 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5612 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5612 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5612 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe

"C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp

Files

memory/5612-0-0x000000007524E000-0x000000007524F000-memory.dmp

memory/5612-1-0x0000000000140000-0x000000000038E000-memory.dmp

memory/5612-2-0x0000000005300000-0x00000000058A6000-memory.dmp

memory/5612-3-0x0000000004F90000-0x0000000005022000-memory.dmp

memory/5612-4-0x00000000052E0000-0x00000000052EA000-memory.dmp

memory/5612-5-0x0000000075240000-0x00000000759F1000-memory.dmp

memory/5612-6-0x0000000005B20000-0x0000000005D0E000-memory.dmp

memory/5612-20-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-12-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-7-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-38-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-40-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-56-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-54-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-52-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-50-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-48-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-46-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-44-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-36-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-34-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-32-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-30-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-28-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-26-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-24-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-43-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-22-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-18-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-16-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-14-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-10-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-8-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-58-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-70-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-62-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-60-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-68-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-66-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-64-0x0000000005B20000-0x0000000005D09000-memory.dmp

memory/5612-11091-0x000000007524E000-0x000000007524F000-memory.dmp

memory/5612-11987-0x0000000075240000-0x00000000759F1000-memory.dmp

memory/5612-13163-0x0000000005E80000-0x0000000005EA2000-memory.dmp

memory/5612-13164-0x0000000005F60000-0x00000000062B7000-memory.dmp

memory/5612-13165-0x000000003BF60000-0x000000003BFC6000-memory.dmp

memory/5612-13169-0x0000000075240000-0x00000000759F1000-memory.dmp

memory/3332-13168-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3332-13171-0x0000000001600000-0x0000000001606000-memory.dmp

memory/3332-13170-0x0000000075240000-0x00000000759F1000-memory.dmp

memory/3332-13172-0x0000000005F30000-0x0000000006548000-memory.dmp

memory/3332-13173-0x0000000005970000-0x0000000005982000-memory.dmp

memory/3332-13174-0x0000000075240000-0x00000000759F1000-memory.dmp

memory/3332-13175-0x0000000005AA0000-0x0000000005BAA000-memory.dmp

memory/3332-13176-0x00000000059D0000-0x0000000005A0C000-memory.dmp

memory/3332-13177-0x0000000005A30000-0x0000000005A7C000-memory.dmp

memory/3332-13178-0x0000000075240000-0x00000000759F1000-memory.dmp

memory/3332-13179-0x0000000075240000-0x00000000759F1000-memory.dmp