Malware Analysis Report

2025-03-15 04:50

Sample ID 240714-1sa8eaxbkc
Target redline123123.exe
SHA256 7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e
Tags
newbild redline discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e

Threat Level: Known bad

The file redline123123.exe was found to be: Known bad.

Malicious Activity Summary

newbild redline discovery infostealer spyware stealer

RedLine payload

Redline family

RedLine

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 21:54

Signatures

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 21:54

Reported

2024-07-14 22:05

Platform

win10v2004-20240709-en

Max time kernel

432s

Max time network

437s

Command Line

"C:\Users\Admin\AppData\Local\Temp\redline123123.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\redline123123.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\redline123123.exe

"C:\Users\Admin\AppData\Local\Temp\redline123123.exe"

Network

Country Destination Domain Proto
RU 185.215.113.67:40960 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/4572-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

memory/4572-1-0x00000000002B0000-0x0000000000300000-memory.dmp

memory/4572-2-0x00000000053B0000-0x0000000005954000-memory.dmp

memory/4572-3-0x0000000004CE0000-0x0000000004D72000-memory.dmp

memory/4572-4-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

memory/4572-5-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4572-6-0x0000000005F80000-0x0000000006598000-memory.dmp

memory/4572-7-0x00000000051D0000-0x00000000052DA000-memory.dmp

memory/4572-8-0x0000000004E80000-0x0000000004E92000-memory.dmp

memory/4572-9-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

memory/4572-10-0x0000000004F40000-0x0000000004F8C000-memory.dmp

memory/4572-11-0x0000000005960000-0x00000000059C6000-memory.dmp

memory/4572-12-0x00000000068F0000-0x0000000006940000-memory.dmp

memory/4572-13-0x0000000006B10000-0x0000000006CD2000-memory.dmp

memory/4572-14-0x0000000007210000-0x000000000773C000-memory.dmp

memory/4572-16-0x0000000074D60000-0x0000000075510000-memory.dmp