Malware Analysis Report

2025-03-15 04:55

Sample ID 240714-lkhj7avekp
Target 9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe
SHA256 9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370
Tags
redline 6464132328_99 infostealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370

Threat Level: Known bad

The file 9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe was found to be: Known bad.

Malicious Activity Summary

redline 6464132328_99 infostealer spyware

RedLine payload

RedLine

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 09:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 09:35

Reported

2024-07-14 09:37

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2496 set thread context of 2484 N/A C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2496 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2496 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2496 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2496 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2496 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2496 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2496 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe

"C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 sp.joger.top udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
FI 95.217.245.123:3306 sp.joger.top tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 123.245.217.95.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/2496-0-0x000000007485E000-0x000000007485F000-memory.dmp

memory/2496-1-0x0000000000BF0000-0x0000000000CCE000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 1f804181133345524e018243d5ad2610
SHA1 482ff64943006de93caea2671c854152203dd820
SHA256 e63e1a997fd7626c8f9d02137ab87f0c6fae00955daacaf20e4cbd89feda4e24
SHA512 a661abaa41b433282bc9d03c7f69c9c5b66b52d45d6561d79ee9faaa006988f2a7919daef71784c88508c8b944870924072485be8b1f04a60e6bcf07398f8701

memory/2484-8-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2484-11-0x00000000053D0000-0x0000000005436000-memory.dmp

memory/2496-10-0x0000000074850000-0x0000000075000000-memory.dmp

memory/2484-12-0x0000000074850000-0x0000000075000000-memory.dmp

memory/2484-13-0x0000000005EF0000-0x0000000006508000-memory.dmp

memory/2484-14-0x0000000005940000-0x0000000005952000-memory.dmp

memory/2484-15-0x0000000005A70000-0x0000000005B7A000-memory.dmp

memory/2484-16-0x0000000074850000-0x0000000075000000-memory.dmp

memory/2484-17-0x0000000006890000-0x00000000068CC000-memory.dmp

memory/2484-18-0x00000000068D0000-0x000000000691C000-memory.dmp

memory/2484-19-0x0000000006BF0000-0x0000000006DB2000-memory.dmp

memory/2484-20-0x00000000072F0000-0x000000000781C000-memory.dmp

memory/2484-21-0x0000000007DD0000-0x0000000008374000-memory.dmp

memory/2484-22-0x0000000006DC0000-0x0000000006E52000-memory.dmp

memory/2484-23-0x0000000006E60000-0x0000000006ED6000-memory.dmp

memory/2484-24-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

memory/2484-25-0x0000000007070000-0x00000000070C0000-memory.dmp

memory/2484-27-0x0000000074850000-0x0000000075000000-memory.dmp

memory/2496-28-0x0000000074850000-0x0000000075000000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 09:35

Reported

2024-07-14 09:37

Platform

win7-20240705-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe

"C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe"

Network

N/A

Files

memory/2972-0-0x0000000073D0E000-0x0000000073D0F000-memory.dmp

memory/2972-1-0x0000000001320000-0x00000000013FE000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 1f804181133345524e018243d5ad2610
SHA1 482ff64943006de93caea2671c854152203dd820
SHA256 e63e1a997fd7626c8f9d02137ab87f0c6fae00955daacaf20e4cbd89feda4e24
SHA512 a661abaa41b433282bc9d03c7f69c9c5b66b52d45d6561d79ee9faaa006988f2a7919daef71784c88508c8b944870924072485be8b1f04a60e6bcf07398f8701

memory/2972-6-0x0000000074C50000-0x0000000074D11000-memory.dmp