Malware Analysis Report

2025-03-15 04:50

Sample ID 240714-ycejsasgpn
Target 649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f
SHA256 649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f
Tags
redline 6951125327 discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f

Threat Level: Known bad

The file 649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f was found to be: Known bad.

Malicious Activity Summary

redline 6951125327 discovery infostealer spyware stealer

RedLine

RedLine payload

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 19:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 19:38

Reported

2024-07-14 19:40

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 220 set thread context of 3984 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 220 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 220 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 220 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 220 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 220 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 220 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 220 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe

"C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 o0.u2024.icu udp
FI 95.217.245.123:443 o0.u2024.icu tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 123.245.217.95.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/220-0-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

memory/3984-1-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3984-2-0x000000007457E000-0x000000007457F000-memory.dmp

memory/3984-3-0x0000000005700000-0x0000000005766000-memory.dmp

memory/3984-4-0x0000000006230000-0x0000000006848000-memory.dmp

memory/3984-5-0x0000000005C80000-0x0000000005C92000-memory.dmp

memory/3984-6-0x0000000005DB0000-0x0000000005EBA000-memory.dmp

memory/3984-7-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/3984-8-0x0000000006BD0000-0x0000000006C0C000-memory.dmp

memory/3984-9-0x0000000006C10000-0x0000000006C5C000-memory.dmp

memory/3984-10-0x0000000006F30000-0x00000000070F2000-memory.dmp

memory/3984-11-0x0000000007630000-0x0000000007B5C000-memory.dmp

memory/3984-12-0x0000000007100000-0x0000000007192000-memory.dmp

memory/3984-13-0x0000000008110000-0x00000000086B4000-memory.dmp

memory/3984-14-0x0000000007220000-0x0000000007296000-memory.dmp

memory/3984-15-0x00000000071A0000-0x00000000071BE000-memory.dmp

memory/3984-16-0x0000000007300000-0x0000000007350000-memory.dmp

memory/3984-18-0x0000000074570000-0x0000000074D20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 19:38

Reported

2024-07-14 19:40

Platform

win11-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4936 set thread context of 1312 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4936 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4936 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4936 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4936 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4936 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4936 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4936 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe

"C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 95.217.245.123:443 o0.u2024.icu tcp

Files

memory/4936-0-0x00000000033B0000-0x00000000033B1000-memory.dmp

memory/1312-1-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1312-2-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

memory/1312-3-0x0000000005350000-0x00000000053B6000-memory.dmp

memory/1312-4-0x0000000005E20000-0x0000000006438000-memory.dmp

memory/1312-5-0x00000000058B0000-0x00000000058C2000-memory.dmp

memory/1312-6-0x00000000059E0000-0x0000000005AEA000-memory.dmp

memory/1312-7-0x0000000074EE0000-0x0000000075691000-memory.dmp

memory/1312-8-0x0000000005D80000-0x0000000005DBC000-memory.dmp

memory/1312-9-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

memory/1312-10-0x0000000006A20000-0x0000000006BE2000-memory.dmp

memory/1312-11-0x0000000007120000-0x000000000764C000-memory.dmp

memory/1312-12-0x0000000006BF0000-0x0000000006C82000-memory.dmp

memory/1312-13-0x0000000007C00000-0x00000000081A6000-memory.dmp

memory/1312-14-0x0000000006D10000-0x0000000006D86000-memory.dmp

memory/1312-15-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

memory/1312-16-0x0000000006FC0000-0x0000000007010000-memory.dmp

memory/1312-18-0x0000000074EE0000-0x0000000075691000-memory.dmp