Malware Analysis Report

2025-03-15 04:42

Sample ID 240714-hc8vmazekk
Target podrebro.zip
SHA256 7706a695da0b080283cb224d820e8e3976ea32c8845c71362af539ddcaf30fa3
Tags
upx redline infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7706a695da0b080283cb224d820e8e3976ea32c8845c71362af539ddcaf30fa3

Threat Level: Known bad

The file podrebro.zip was found to be: Known bad.

Malicious Activity Summary

upx redline infostealer spyware

RedLine

RedLine payload

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 06:37

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 06:36

Reported

2024-07-14 06:39

Platform

win10v2004-20240709-en

Max time kernel

58s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2012 set thread context of 4532 N/A C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CH 185.196.9.26:6302 tcp
US 8.8.8.8:53 26.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

memory/2012-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

memory/2012-1-0x00000000001F0000-0x000000000035E000-memory.dmp

memory/2012-2-0x0000000004C80000-0x0000000004C86000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 ee247d29feb603e4e553f496b9ae8e0f
SHA1 5a7499b8fc9436af4f52203442ff724d53e1b229
SHA256 74e7e43e3d517aad3e294341bf0ed3909d8ac53353e25224cded5285da31f3c1
SHA512 03549dc604c4ca5c9910f5dd44820c16e03e856805d16cabf6be1d32cb3156bf314d66df15c8f41d2beeab8f6c66a286e07ecb20c42dc99f3adc95b8df7d9205

memory/4532-9-0x0000000000600000-0x0000000000650000-memory.dmp

memory/2012-11-0x0000000074C60000-0x0000000075410000-memory.dmp

memory/4532-12-0x0000000005000000-0x00000000055A4000-memory.dmp

memory/4532-13-0x0000000074C60000-0x0000000075410000-memory.dmp

memory/4532-14-0x0000000004B30000-0x0000000004BC2000-memory.dmp

memory/4532-15-0x0000000074C60000-0x0000000075410000-memory.dmp

memory/4532-16-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

memory/4532-17-0x0000000005BD0000-0x00000000061E8000-memory.dmp

memory/4532-18-0x0000000004EA0000-0x0000000004FAA000-memory.dmp

memory/4532-19-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

memory/4532-20-0x0000000004E30000-0x0000000004E6C000-memory.dmp

memory/4532-21-0x0000000004FB0000-0x0000000004FFC000-memory.dmp

memory/4532-22-0x00000000056E0000-0x0000000005746000-memory.dmp

memory/4532-23-0x00000000064F0000-0x0000000006540000-memory.dmp

memory/4532-24-0x0000000006810000-0x00000000069D2000-memory.dmp

memory/4532-25-0x0000000006F10000-0x000000000743C000-memory.dmp

memory/4532-27-0x0000000074C60000-0x0000000075410000-memory.dmp

memory/2012-28-0x0000000074C60000-0x0000000075410000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 06:36

Reported

2024-07-14 06:39

Platform

win10v2004-20240709-en

Max time kernel

59s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1496 set thread context of 3144 N/A C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 2168

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CH 185.196.9.6:43164 tcp
US 8.8.8.8:53 6.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1496-0-0x000000007448E000-0x000000007448F000-memory.dmp

memory/1496-1-0x0000000000D10000-0x0000000000EDA000-memory.dmp

memory/1496-2-0x0000000005900000-0x0000000005906000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 eaa369f85440b19162e260f5f8a6b6a1
SHA1 353a802d881be10699e324599a719c27596a9a92
SHA256 628554ddfac5bb7fb3eed07a0507208e572d602470269692dc703a5c4ab25512
SHA512 1475774a1378b7af81a4676a114d01cfe4c6830066e0400c14089500cabf73b35c91e85724601b3187e7f7d738e2acdc98b2c2194a0b761faadd3a882efcf643

memory/3144-9-0x0000000000740000-0x00000000007B8000-memory.dmp

memory/1496-11-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/3144-12-0x0000000005210000-0x00000000057B4000-memory.dmp

memory/3144-13-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/3144-14-0x0000000004D00000-0x0000000004D92000-memory.dmp

memory/3144-15-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/3144-16-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

memory/3144-17-0x00000000083D0000-0x00000000089E8000-memory.dmp

memory/3144-18-0x0000000007F10000-0x000000000801A000-memory.dmp

memory/3144-19-0x0000000007E50000-0x0000000007E62000-memory.dmp

memory/3144-20-0x0000000007EB0000-0x0000000007EEC000-memory.dmp

memory/3144-21-0x0000000008020000-0x000000000806C000-memory.dmp

memory/3144-22-0x0000000008C60000-0x0000000008CC6000-memory.dmp

memory/3144-23-0x0000000008F50000-0x0000000008FC6000-memory.dmp

memory/3144-24-0x0000000008EF0000-0x0000000008F0E000-memory.dmp

memory/3144-25-0x0000000009830000-0x00000000099F2000-memory.dmp

memory/3144-26-0x000000000A030000-0x000000000A55C000-memory.dmp

memory/3144-27-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/1496-28-0x0000000074480000-0x0000000074C30000-memory.dmp