Malware Analysis Report

2025-06-15 22:29

Sample ID 241106-vvfm1stkhz
Target 15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970
SHA256 15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970
Tags
0002 redline discovery infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970

Threat Level: Known bad

The file 15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970 was found to be: Known bad.

Malicious Activity Summary

0002 redline discovery infostealer

RedLine

RedLine payload

Redline family

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 17:18

Signatures

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 17:18

Reported

2024-11-06 17:20

Platform

win7-20240903-en

Max time kernel

131s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970.exe

"C:\Users\Admin\AppData\Local\Temp\15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970.exe"

Network

Country Destination Domain Proto
US 13.72.81.58:13413 tcp
US 13.72.81.58:13413 tcp
US 13.72.81.58:13413 tcp
US 13.72.81.58:13413 tcp
US 13.72.81.58:13413 tcp
US 13.72.81.58:13413 tcp

Files

memory/1916-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

memory/1916-1-0x0000000000830000-0x0000000000890000-memory.dmp

memory/1916-2-0x0000000000550000-0x0000000000556000-memory.dmp

memory/1916-3-0x00000000748B0000-0x0000000074F9E000-memory.dmp

memory/1916-4-0x00000000748BE000-0x00000000748BF000-memory.dmp

memory/1916-5-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 17:18

Reported

2024-11-06 17:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970.exe

"C:\Users\Admin\AppData\Local\Temp\15a4cf8be41cb50d3748de04eea356193571aafbb8a9fef2a292d5c678f8d970.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 13.72.81.58:13413 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.72.81.58:13413 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 13.72.81.58:13413 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 13.72.81.58:13413 tcp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 13.72.81.58:13413 tcp
US 13.72.81.58:13413 tcp

Files

memory/1192-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/1192-1-0x0000000000A40000-0x0000000000AA0000-memory.dmp

memory/1192-2-0x0000000002BF0000-0x0000000002BF6000-memory.dmp

memory/1192-3-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/1192-4-0x000000000AFF0000-0x000000000B608000-memory.dmp

memory/1192-5-0x000000000AB40000-0x000000000AC4A000-memory.dmp

memory/1192-6-0x000000000AA70000-0x000000000AA82000-memory.dmp

memory/1192-7-0x000000000AAD0000-0x000000000AB0C000-memory.dmp

memory/1192-8-0x0000000004D80000-0x0000000004DCC000-memory.dmp

memory/1192-9-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/1192-10-0x0000000074AD0000-0x0000000075280000-memory.dmp