Analysis

  • max time kernel
    34s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-12-2020 11:38

General

  • Target

    SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe

  • Size

    2.5MB

  • MD5

    726416c22fec0616dad74b6af93fdb2e

  • SHA1

    7bec6c4668e9ace3464e40f9a32bf325fc815ed9

  • SHA256

    5caf05d632263d6fcb361a630f017850caebd0c9851888a755c0dae99062df7e

  • SHA512

    472cb84ca1a48af7317e0521bc6912e986ff614d6f26729cd2efc1c64a0e17e454b627b217b09d4955d07391a8ff6b5e454563711964f374d7eea216bec7b5dc

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:572

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/792-3-0x0000000074DA0000-0x000000007548E000-memory.dmp

    Filesize

    6.9MB

  • memory/792-4-0x0000000000C40000-0x0000000000C41000-memory.dmp

    Filesize

    4KB