Malware Analysis Report

2024-12-01 02:52

Sample ID 241110-bsxc7syrdk
Target 52f7de462cdc8d66f7f562da63ec8fbb
SHA256 406c02c96c2f653ffd20e78b26bd0bc9ef963daf8bda2658116f271a2933eaab
Tags
redline ww discovery infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

406c02c96c2f653ffd20e78b26bd0bc9ef963daf8bda2658116f271a2933eaab

Threat Level: Known bad

The file 52f7de462cdc8d66f7f562da63ec8fbb was found to be: Known bad.

Malicious Activity Summary

redline ww discovery infostealer

RedLine

RedLine payload

Redline family

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:24

Reported

2024-11-10 01:27

Platform

win7-20241010-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52f7de462cdc8d66f7f562da63ec8fbb.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\52f7de462cdc8d66f7f562da63ec8fbb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\52f7de462cdc8d66f7f562da63ec8fbb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\52f7de462cdc8d66f7f562da63ec8fbb.exe

"C:\Users\Admin\AppData\Local\Temp\52f7de462cdc8d66f7f562da63ec8fbb.exe"

Network

Country Destination Domain Proto
IR 193.106.191.67:44400 tcp
IR 193.106.191.67:44400 tcp
IR 193.106.191.67:44400 tcp
IR 193.106.191.67:44400 tcp
IR 193.106.191.67:44400 tcp
IR 193.106.191.67:44400 tcp

Files

memory/2220-1-0x0000000000510000-0x0000000000610000-memory.dmp

memory/2220-2-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2220-3-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2220-4-0x00000000004E0000-0x0000000000514000-memory.dmp

memory/2220-5-0x00000000020F0000-0x0000000002122000-memory.dmp

memory/2220-6-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-7-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-53-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-45-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-9-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-11-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-70-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-67-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-65-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-63-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-61-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-59-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-57-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-55-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-51-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-49-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-47-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-43-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-41-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-39-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-37-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-35-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-34-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-31-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-29-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-28-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-25-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-23-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-21-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-19-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-17-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-15-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-13-0x00000000020F0000-0x000000000211D000-memory.dmp

memory/2220-960-0x0000000000510000-0x0000000000610000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:24

Reported

2024-11-10 01:27

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52f7de462cdc8d66f7f562da63ec8fbb.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\52f7de462cdc8d66f7f562da63ec8fbb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\52f7de462cdc8d66f7f562da63ec8fbb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\52f7de462cdc8d66f7f562da63ec8fbb.exe

"C:\Users\Admin\AppData\Local\Temp\52f7de462cdc8d66f7f562da63ec8fbb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
IR 193.106.191.67:44400 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
IR 193.106.191.67:44400 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
IR 193.106.191.67:44400 tcp
IR 193.106.191.67:44400 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
IR 193.106.191.67:44400 tcp
IR 193.106.191.67:44400 tcp

Files

memory/4920-1-0x0000000000770000-0x0000000000870000-memory.dmp

memory/4920-2-0x0000000002210000-0x0000000002249000-memory.dmp

memory/4920-3-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4920-4-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4920-5-0x00000000024B0000-0x00000000024E4000-memory.dmp

memory/4920-6-0x0000000004CE0000-0x0000000005284000-memory.dmp

memory/4920-7-0x0000000002880000-0x00000000028B2000-memory.dmp

memory/4920-41-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-65-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-71-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-69-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-67-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-63-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-61-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-59-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-57-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-55-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-53-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-51-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-49-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-47-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-45-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-43-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-39-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-37-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-35-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-33-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-31-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-29-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-27-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-25-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-23-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-21-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-19-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-15-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-13-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-17-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-11-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-9-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-8-0x0000000002880000-0x00000000028AD000-memory.dmp

memory/4920-962-0x0000000005290000-0x00000000058A8000-memory.dmp

memory/4920-963-0x00000000058F0000-0x0000000005902000-memory.dmp

memory/4920-964-0x0000000005910000-0x0000000005A1A000-memory.dmp

memory/4920-965-0x0000000005A30000-0x0000000005A6C000-memory.dmp

memory/4920-966-0x0000000005B90000-0x0000000005BDC000-memory.dmp

memory/4920-967-0x0000000000770000-0x0000000000870000-memory.dmp

memory/4920-968-0x0000000002210000-0x0000000002249000-memory.dmp

memory/4920-969-0x0000000000400000-0x000000000043C000-memory.dmp