Analysis Overview
SHA256
7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e
Threat Level: Known bad
The file redline123123.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Redline family
RedLine
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 21:54
Signatures
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 21:54
Reported
2024-07-14 22:05
Platform
win10v2004-20240709-en
Max time kernel
432s
Max time network
437s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\redline123123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\redline123123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\redline123123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\redline123123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\redline123123.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\redline123123.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\redline123123.exe
"C:\Users\Admin\AppData\Local\Temp\redline123123.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.67:40960 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
memory/4572-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp
memory/4572-1-0x00000000002B0000-0x0000000000300000-memory.dmp
memory/4572-2-0x00000000053B0000-0x0000000005954000-memory.dmp
memory/4572-3-0x0000000004CE0000-0x0000000004D72000-memory.dmp
memory/4572-4-0x0000000004DA0000-0x0000000004DAA000-memory.dmp
memory/4572-5-0x0000000074D60000-0x0000000075510000-memory.dmp
memory/4572-6-0x0000000005F80000-0x0000000006598000-memory.dmp
memory/4572-7-0x00000000051D0000-0x00000000052DA000-memory.dmp
memory/4572-8-0x0000000004E80000-0x0000000004E92000-memory.dmp
memory/4572-9-0x0000000004EF0000-0x0000000004F2C000-memory.dmp
memory/4572-10-0x0000000004F40000-0x0000000004F8C000-memory.dmp
memory/4572-11-0x0000000005960000-0x00000000059C6000-memory.dmp
memory/4572-12-0x00000000068F0000-0x0000000006940000-memory.dmp
memory/4572-13-0x0000000006B10000-0x0000000006CD2000-memory.dmp
memory/4572-14-0x0000000007210000-0x000000000773C000-memory.dmp
memory/4572-16-0x0000000074D60000-0x0000000075510000-memory.dmp