Malware Analysis Report

2025-03-15 04:42

Sample ID 240714-gc6vla1clb
Target FireyYoy.zip
SHA256 18bc7eedbc38c08acd67766fdb5b10a363ccf3a7a806837d25d9297a4b765c65
Tags
redline infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18bc7eedbc38c08acd67766fdb5b10a363ccf3a7a806837d25d9297a4b765c65

Threat Level: Known bad

The file FireyYoy.zip was found to be: Known bad.

Malicious Activity Summary

redline infostealer spyware

RedLine

RedLine payload

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 05:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-14 05:40

Reported

2024-07-14 05:43

Platform

win7-20240704-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe

"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe"

Network

N/A

Files

memory/2716-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

memory/2716-1-0x00000000013E0000-0x0000000001550000-memory.dmp

memory/2716-2-0x00000000002C0000-0x00000000002C6000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 383135ee31ca6eda2a23b16e9266e428
SHA1 7975297ec104580b54d5cac917b1aab65f025967
SHA256 14c151129c9dec79b8c35bb57a0d21977858db553892b8fdaba7eaa37d37435a
SHA512 2ca83e28f5f5ac15a6617751de848ad161daf29db7c2e7ab8cf9e4e190222a2f66ac2b9e4bebc61f24ff8d3a56982e557b94cc6c7d8b415dc719a6e1ff767449

memory/2716-7-0x0000000074B60000-0x000000007524E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-14 05:40

Reported

2024-07-14 05:43

Platform

win10v2004-20240709-en

Max time kernel

95s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1552 set thread context of 1088 N/A C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe

"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CH 185.196.9.26:6302 tcp
US 8.8.8.8:53 26.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1552-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/1552-1-0x0000000000190000-0x0000000000300000-memory.dmp

memory/1552-2-0x0000000004D20000-0x0000000004D26000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 383135ee31ca6eda2a23b16e9266e428
SHA1 7975297ec104580b54d5cac917b1aab65f025967
SHA256 14c151129c9dec79b8c35bb57a0d21977858db553892b8fdaba7eaa37d37435a
SHA512 2ca83e28f5f5ac15a6617751de848ad161daf29db7c2e7ab8cf9e4e190222a2f66ac2b9e4bebc61f24ff8d3a56982e557b94cc6c7d8b415dc719a6e1ff767449

memory/1088-9-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1552-11-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1088-12-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1088-13-0x0000000005530000-0x0000000005AD4000-memory.dmp

memory/1088-14-0x0000000004F80000-0x0000000005012000-memory.dmp

memory/1088-15-0x0000000004F10000-0x0000000004F1A000-memory.dmp

memory/1088-16-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1088-17-0x0000000006100000-0x0000000006718000-memory.dmp

memory/1088-18-0x0000000005320000-0x000000000542A000-memory.dmp

memory/1088-19-0x0000000005180000-0x0000000005192000-memory.dmp

memory/1088-20-0x0000000005210000-0x000000000524C000-memory.dmp

memory/1088-21-0x0000000005250000-0x000000000529C000-memory.dmp

memory/1088-22-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/1088-23-0x00000000068B0000-0x0000000006900000-memory.dmp

memory/1088-24-0x0000000006BD0000-0x0000000006D92000-memory.dmp

memory/1088-25-0x00000000072D0000-0x00000000077FC000-memory.dmp

memory/1088-27-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1552-28-0x00000000749B0000-0x0000000075160000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 05:40

Reported

2024-07-14 05:43

Platform

win7-20240708-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe

"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x1a0

Network

N/A

Files

memory/3040-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

memory/3040-1-0x0000000000950000-0x0000000000B20000-memory.dmp

memory/3040-2-0x0000000000420000-0x0000000000426000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 cfbee81495d87dc1537a869d759392ee
SHA1 2481be32b25a5edb919eb532ddb1e187b41eccd2
SHA256 25a8692639d611867124bb1d7b9dd7ac27ff790386ce3cb1365e9b0546b839ce
SHA512 810ef929881ba3a4db43eed2799a3da01056e4a3071fb3861191e3abcf7f3ae796b9b018538a290879e729d29285aa757887e47d7886af9f3d0cb7dc5d5ea160

memory/3040-7-0x0000000076F50000-0x0000000077011000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 05:40

Reported

2024-07-14 05:43

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3888 set thread context of 3628 N/A C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe

"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3628 -ip 3628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2316

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
CH 185.196.9.6:43164 tcp
US 8.8.8.8:53 6.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/3888-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/3888-1-0x0000000000470000-0x0000000000640000-memory.dmp

memory/3888-2-0x0000000004F20000-0x0000000004F26000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 cfbee81495d87dc1537a869d759392ee
SHA1 2481be32b25a5edb919eb532ddb1e187b41eccd2
SHA256 25a8692639d611867124bb1d7b9dd7ac27ff790386ce3cb1365e9b0546b839ce
SHA512 810ef929881ba3a4db43eed2799a3da01056e4a3071fb3861191e3abcf7f3ae796b9b018538a290879e729d29285aa757887e47d7886af9f3d0cb7dc5d5ea160

memory/3628-9-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3888-11-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/3628-12-0x0000000005DD0000-0x0000000006374000-memory.dmp

memory/3628-13-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/3628-14-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/3628-15-0x0000000005920000-0x00000000059B2000-memory.dmp

memory/3628-16-0x0000000005900000-0x000000000590A000-memory.dmp

memory/3628-17-0x0000000008C80000-0x0000000009298000-memory.dmp

memory/3628-18-0x00000000087B0000-0x00000000088BA000-memory.dmp

memory/3628-19-0x0000000008700000-0x0000000008712000-memory.dmp

memory/3628-20-0x0000000008760000-0x000000000879C000-memory.dmp

memory/3628-21-0x00000000088C0000-0x000000000890C000-memory.dmp

memory/3628-22-0x0000000009510000-0x0000000009576000-memory.dmp

memory/3628-23-0x0000000009800000-0x0000000009876000-memory.dmp

memory/3628-24-0x0000000009780000-0x000000000979E000-memory.dmp

memory/3628-25-0x000000000A0C0000-0x000000000A282000-memory.dmp

memory/3628-26-0x000000000A7C0000-0x000000000ACEC000-memory.dmp

memory/3628-27-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/3888-28-0x0000000074B10000-0x00000000752C0000-memory.dmp