Malware Analysis Report

2024-12-01 01:13

Sample ID 241110-mp91nsvemp
Target 768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b
SHA256 768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b
Tags
redline 24.01 discovery infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b

Threat Level: Known bad

The file 768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b was found to be: Known bad.

Malicious Activity Summary

redline 24.01 discovery infostealer

RedLine

Redline family

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 10:39

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 10:39

Reported

2024-11-10 10:42

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b.exe"

Signatures

RedLine

infostealer redline

Redline family

redline

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b.exe

"C:\Users\Admin\AppData\Local\Temp\768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 102.208.201.84.in-addr.arpa udp
RU 37.220.86.164:29170 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 37.220.86.164:29170 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 37.220.86.164:29170 tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
US 8.8.8.8:53 104.208.201.84.in-addr.arpa udp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp

Files

memory/4116-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/4116-1-0x0000000000BA0000-0x0000000000BFA000-memory.dmp

memory/4116-2-0x0000000003090000-0x0000000003096000-memory.dmp

memory/4116-3-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/4116-4-0x0000000005C70000-0x0000000006288000-memory.dmp

memory/4116-5-0x00000000057D0000-0x00000000058DA000-memory.dmp

memory/4116-6-0x0000000005700000-0x0000000005712000-memory.dmp

memory/4116-7-0x0000000005760000-0x000000000579C000-memory.dmp

memory/4116-8-0x00000000058E0000-0x000000000592C000-memory.dmp

memory/4116-9-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/4116-10-0x00000000746A0000-0x0000000074E50000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 10:39

Reported

2024-11-10 10:42

Platform

win7-20240903-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b.exe"

Signatures

RedLine

infostealer redline

Redline family

redline

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b.exe

"C:\Users\Admin\AppData\Local\Temp\768371c6181a5a4fd4d4040ff17c2417a129775a6f51780fd5c8682ceda6985b.exe"

Network

Country Destination Domain Proto
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp
RU 37.220.86.164:29170 tcp

Files

memory/1796-0-0x000000007463E000-0x000000007463F000-memory.dmp

memory/1796-1-0x0000000000D60000-0x0000000000DBA000-memory.dmp

memory/1796-2-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/1796-3-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/1796-4-0x000000007463E000-0x000000007463F000-memory.dmp

memory/1796-5-0x0000000074630000-0x0000000074D1E000-memory.dmp