Malware Analysis Report

2025-03-15 04:50

Sample ID 240714-shv6tsvhnp
Target 217.exe
SHA256 92682078977a588ba4cc3dfe7ce9d744bf752a635ab73c027cdbae68ff8e749f
Tags
redline 6951125327 discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92682078977a588ba4cc3dfe7ce9d744bf752a635ab73c027cdbae68ff8e749f

Threat Level: Known bad

The file 217.exe was found to be: Known bad.

Malicious Activity Summary

redline 6951125327 discovery infostealer spyware stealer

RedLine

RedLine payload

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 15:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 15:08

Reported

2024-07-14 15:10

Platform

win10v2004-20240704-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\217.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2400 set thread context of 1904 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\217.exe

"C:\Users\Admin\AppData\Local\Temp\217.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 o0.u2024.icu udp
FI 95.217.245.123:443 o0.u2024.icu tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 123.245.217.95.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 34.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2400-0-0x0000000000840000-0x0000000000841000-memory.dmp

memory/1904-1-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1904-2-0x00000000740BE000-0x00000000740BF000-memory.dmp

memory/1904-3-0x00000000054A0000-0x0000000005506000-memory.dmp

memory/1904-4-0x0000000005FB0000-0x00000000065C8000-memory.dmp

memory/1904-5-0x00000000059D0000-0x00000000059E2000-memory.dmp

memory/1904-6-0x0000000005B00000-0x0000000005C0A000-memory.dmp

memory/1904-7-0x00000000740B0000-0x0000000074860000-memory.dmp

memory/1904-8-0x00000000067D0000-0x000000000680C000-memory.dmp

memory/1904-9-0x0000000006810000-0x000000000685C000-memory.dmp

memory/1904-10-0x0000000006B40000-0x0000000006D02000-memory.dmp

memory/1904-11-0x0000000007240000-0x000000000776C000-memory.dmp

memory/1904-12-0x0000000007D20000-0x00000000082C4000-memory.dmp

memory/1904-13-0x0000000006EB0000-0x0000000006F42000-memory.dmp

memory/1904-14-0x0000000006D60000-0x0000000006DB0000-memory.dmp

memory/1904-15-0x0000000006E30000-0x0000000006EA6000-memory.dmp

memory/1904-16-0x0000000006DB0000-0x0000000006DCE000-memory.dmp

memory/1904-18-0x00000000740B0000-0x0000000074860000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 15:08

Reported

2024-07-14 15:10

Platform

win7-20240708-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\217.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\217.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 996 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Windows\SysWOW64\WerFault.exe
PID 996 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Windows\SysWOW64\WerFault.exe
PID 996 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Windows\SysWOW64\WerFault.exe
PID 996 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\217.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\217.exe

"C:\Users\Admin\AppData\Local\Temp\217.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 108

Network

N/A

Files

memory/996-0-0x00000000000F0000-0x00000000000F1000-memory.dmp