Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-12-2020 11:38
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe
-
Size
2.5MB
-
MD5
726416c22fec0616dad74b6af93fdb2e
-
SHA1
7bec6c4668e9ace3464e40f9a32bf325fc815ed9
-
SHA256
5caf05d632263d6fcb361a630f017850caebd0c9851888a755c0dae99062df7e
-
SHA512
472cb84ca1a48af7317e0521bc6912e986ff614d6f26729cd2efc1c64a0e17e454b627b217b09d4955d07391a8ff6b5e454563711964f374d7eea216bec7b5dc
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe -
Deletes itself 1 IoCs
pid Process 1728 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 792 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 572 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 792 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe 792 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 792 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 792 wrote to memory of 1728 792 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe 30 PID 792 wrote to memory of 1728 792 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe 30 PID 792 wrote to memory of 1728 792 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe 30 PID 792 wrote to memory of 1728 792 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe 30 PID 1728 wrote to memory of 572 1728 cmd.exe 32 PID 1728 wrote to memory of 572 1728 cmd.exe 32 PID 1728 wrote to memory of 572 1728 cmd.exe 32 PID 1728 wrote to memory of 572 1728 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:572
-
-