Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 12:18
Static task
static1
Behavioral task
behavioral1
Sample
Vixen Shelter Romance.scr.bin.exe
Resource
win7v20201028
General
-
Target
Vixen Shelter Romance.scr.bin.exe
-
Size
8.7MB
-
MD5
0521b0d5f0b688f1e854d385e4fb9ebb
-
SHA1
5180ef4fc778b5a9ff9b7c8ca6f41b500ca0c4d5
-
SHA256
171648fd46a4512cd2475bbd3720869cff6816786e1152080dc71fe60a68a727
-
SHA512
3dfa62a658bf549fe4225061df5d3203723aec6e842e807176a4cb9d7c55e94fe3ad30064f8ec89bb1c0393bb219351c9dac63ddaf0be279a64befc42587a93d
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Processes:
resource yara_rule behavioral1/memory/2004-5-0x0000000000290000-0x0000000000291000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Vixen Shelter Romance.scr.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Vixen Shelter Romance.scr.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Vixen Shelter Romance.scr.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Vixen Shelter Romance.scr.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Vixen Shelter Romance.scr.bin.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Vixen Shelter Romance.scr.bin.exepid process 2004 Vixen Shelter Romance.scr.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Vixen Shelter Romance.scr.bin.exepid process 2004 Vixen Shelter Romance.scr.bin.exe 2004 Vixen Shelter Romance.scr.bin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Vixen Shelter Romance.scr.bin.exedescription pid process Token: SeDebugPrivilege 2004 Vixen Shelter Romance.scr.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vixen Shelter Romance.scr.bin.exe"C:\Users\Admin\AppData\Local\Temp\Vixen Shelter Romance.scr.bin.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2004-2-0x0000000075EA1000-0x0000000075EA3000-memory.dmpFilesize
8KB
-
memory/2004-4-0x0000000073AF0000-0x00000000741DE000-memory.dmpFilesize
6.9MB
-
memory/2004-5-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2004-7-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB