Analysis
-
max time kernel
23s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-12-2020 11:38
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe
-
Size
2.5MB
-
MD5
726416c22fec0616dad74b6af93fdb2e
-
SHA1
7bec6c4668e9ace3464e40f9a32bf325fc815ed9
-
SHA256
5caf05d632263d6fcb361a630f017850caebd0c9851888a755c0dae99062df7e
-
SHA512
472cb84ca1a48af7317e0521bc6912e986ff614d6f26729cd2efc1c64a0e17e454b627b217b09d4955d07391a8ff6b5e454563711964f374d7eea216bec7b5dc
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3160 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4056 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3160 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe 3160 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3160 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3160 wrote to memory of 1364 3160 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe 78 PID 3160 wrote to memory of 1364 3160 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe 78 PID 3160 wrote to memory of 1364 3160 SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe 78 PID 1364 wrote to memory of 4056 1364 cmd.exe 80 PID 1364 wrote to memory of 4056 1364 cmd.exe 80 PID 1364 wrote to memory of 4056 1364 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:4056
-
-