Analysis Overview
SHA256
7706a695da0b080283cb224d820e8e3976ea32c8845c71362af539ddcaf30fa3
Threat Level: Known bad
The file podrebro.zip was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 06:37
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 06:36
Reported
2024-07-14 06:39
Platform
win10v2004-20240709-en
Max time kernel
58s
Max time network
63s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2012 set thread context of 4532 | N/A | C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe
"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CH | 185.196.9.26:6302 | tcp | |
| US | 8.8.8.8:53 | 26.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
Files
memory/2012-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp
memory/2012-1-0x00000000001F0000-0x000000000035E000-memory.dmp
memory/2012-2-0x0000000004C80000-0x0000000004C86000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | ee247d29feb603e4e553f496b9ae8e0f |
| SHA1 | 5a7499b8fc9436af4f52203442ff724d53e1b229 |
| SHA256 | 74e7e43e3d517aad3e294341bf0ed3909d8ac53353e25224cded5285da31f3c1 |
| SHA512 | 03549dc604c4ca5c9910f5dd44820c16e03e856805d16cabf6be1d32cb3156bf314d66df15c8f41d2beeab8f6c66a286e07ecb20c42dc99f3adc95b8df7d9205 |
memory/4532-9-0x0000000000600000-0x0000000000650000-memory.dmp
memory/2012-11-0x0000000074C60000-0x0000000075410000-memory.dmp
memory/4532-12-0x0000000005000000-0x00000000055A4000-memory.dmp
memory/4532-13-0x0000000074C60000-0x0000000075410000-memory.dmp
memory/4532-14-0x0000000004B30000-0x0000000004BC2000-memory.dmp
memory/4532-15-0x0000000074C60000-0x0000000075410000-memory.dmp
memory/4532-16-0x0000000004CE0000-0x0000000004CEA000-memory.dmp
memory/4532-17-0x0000000005BD0000-0x00000000061E8000-memory.dmp
memory/4532-18-0x0000000004EA0000-0x0000000004FAA000-memory.dmp
memory/4532-19-0x0000000004DD0000-0x0000000004DE2000-memory.dmp
memory/4532-20-0x0000000004E30000-0x0000000004E6C000-memory.dmp
memory/4532-21-0x0000000004FB0000-0x0000000004FFC000-memory.dmp
memory/4532-22-0x00000000056E0000-0x0000000005746000-memory.dmp
memory/4532-23-0x00000000064F0000-0x0000000006540000-memory.dmp
memory/4532-24-0x0000000006810000-0x00000000069D2000-memory.dmp
memory/4532-25-0x0000000006F10000-0x000000000743C000-memory.dmp
memory/4532-27-0x0000000074C60000-0x0000000075410000-memory.dmp
memory/2012-28-0x0000000074C60000-0x0000000075410000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-14 06:36
Reported
2024-07-14 06:39
Platform
win10v2004-20240709-en
Max time kernel
59s
Max time network
65s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1496 set thread context of 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe
"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3144 -ip 3144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 2168
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CH | 185.196.9.6:43164 | tcp | |
| US | 8.8.8.8:53 | 6.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/1496-0-0x000000007448E000-0x000000007448F000-memory.dmp
memory/1496-1-0x0000000000D10000-0x0000000000EDA000-memory.dmp
memory/1496-2-0x0000000005900000-0x0000000005906000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | eaa369f85440b19162e260f5f8a6b6a1 |
| SHA1 | 353a802d881be10699e324599a719c27596a9a92 |
| SHA256 | 628554ddfac5bb7fb3eed07a0507208e572d602470269692dc703a5c4ab25512 |
| SHA512 | 1475774a1378b7af81a4676a114d01cfe4c6830066e0400c14089500cabf73b35c91e85724601b3187e7f7d738e2acdc98b2c2194a0b761faadd3a882efcf643 |
memory/3144-9-0x0000000000740000-0x00000000007B8000-memory.dmp
memory/1496-11-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/3144-12-0x0000000005210000-0x00000000057B4000-memory.dmp
memory/3144-13-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/3144-14-0x0000000004D00000-0x0000000004D92000-memory.dmp
memory/3144-15-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/3144-16-0x0000000004CF0000-0x0000000004CFA000-memory.dmp
memory/3144-17-0x00000000083D0000-0x00000000089E8000-memory.dmp
memory/3144-18-0x0000000007F10000-0x000000000801A000-memory.dmp
memory/3144-19-0x0000000007E50000-0x0000000007E62000-memory.dmp
memory/3144-20-0x0000000007EB0000-0x0000000007EEC000-memory.dmp
memory/3144-21-0x0000000008020000-0x000000000806C000-memory.dmp
memory/3144-22-0x0000000008C60000-0x0000000008CC6000-memory.dmp
memory/3144-23-0x0000000008F50000-0x0000000008FC6000-memory.dmp
memory/3144-24-0x0000000008EF0000-0x0000000008F0E000-memory.dmp
memory/3144-25-0x0000000009830000-0x00000000099F2000-memory.dmp
memory/3144-26-0x000000000A030000-0x000000000A55C000-memory.dmp
memory/3144-27-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/1496-28-0x0000000074480000-0x0000000074C30000-memory.dmp