Malware Analysis Report

2025-01-22 08:55

Sample ID 241027-qb3k8avqhq
Target 59b981c845210902ebc9b52c47268a24.exe
SHA256 caf031a80d5d63e780b088b0f42a265d2c60896cf639fced0ea3e31f134b484d
Tags
redline zzz discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

caf031a80d5d63e780b088b0f42a265d2c60896cf639fced0ea3e31f134b484d

Threat Level: Known bad

The file 59b981c845210902ebc9b52c47268a24.exe was found to be: Known bad.

Malicious Activity Summary

redline zzz discovery infostealer spyware stealer

RedLine payload

RedLine

Redline family

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 13:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 13:06

Reported

2024-10-27 13:08

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe

"C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
SE 5.42.92.74:7175 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3496-0-0x000000007455E000-0x000000007455F000-memory.dmp

memory/3496-1-0x00000000000A0000-0x0000000000132000-memory.dmp

memory/3496-2-0x0000000002430000-0x0000000002436000-memory.dmp

memory/3496-3-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/3496-4-0x000000000D6A0000-0x000000000D740000-memory.dmp

memory/3496-5-0x000000000DCF0000-0x000000000E294000-memory.dmp

memory/3496-6-0x000000000D7E0000-0x000000000D872000-memory.dmp

memory/3496-7-0x00000000045C0000-0x00000000045C6000-memory.dmp

memory/3496-8-0x0000000004E10000-0x0000000004E1A000-memory.dmp

memory/3496-9-0x0000000005450000-0x0000000005A68000-memory.dmp

memory/3496-10-0x0000000004FB0000-0x00000000050BA000-memory.dmp

memory/3496-11-0x0000000004EF0000-0x0000000004F02000-memory.dmp

memory/3496-12-0x0000000004F50000-0x0000000004F8C000-memory.dmp

memory/3496-13-0x00000000050C0000-0x000000000510C000-memory.dmp

memory/3496-14-0x0000000005360000-0x00000000053C6000-memory.dmp

memory/3496-15-0x0000000006420000-0x0000000006470000-memory.dmp

memory/3496-16-0x0000000007580000-0x0000000007742000-memory.dmp

memory/3496-17-0x0000000007C80000-0x00000000081AC000-memory.dmp

memory/3496-18-0x000000007455E000-0x000000007455F000-memory.dmp

memory/3496-19-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/3496-21-0x0000000074550000-0x0000000074D00000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 13:06

Reported

2024-10-27 13:08

Platform

win7-20241010-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe

"C:\Users\Admin\AppData\Local\Temp\59b981c845210902ebc9b52c47268a24.exe"

Network

Country Destination Domain Proto
SE 5.42.92.74:7175 tcp

Files

memory/2568-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

memory/2568-1-0x0000000000E70000-0x0000000000F02000-memory.dmp

memory/2568-2-0x0000000000200000-0x0000000000206000-memory.dmp

memory/2568-3-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2568-4-0x0000000009E20000-0x0000000009EC0000-memory.dmp

memory/2568-5-0x00000000004D0000-0x00000000004D6000-memory.dmp

memory/2568-6-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

memory/2568-7-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2568-8-0x0000000073F50000-0x000000007463E000-memory.dmp