General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089
-
Size
119KB
-
Sample
210212-p9h2hpy9re
-
MD5
ed05d2c233a6a37bfbffd7b27c12d2b9
-
SHA1
221cfaece1b2b6a736f071b367a62d4f229e940e
-
SHA256
381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2
-
SHA512
465c3da441d3fc710213bc3793fb4ae36a22ab5b196a0309e4b2ce6b03796adfc53598ab562d3bf38aaf5b5d5e2ec44e02179a3621e0928810232437e6506296
Malware Config
Targets
-
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089
-
Size
119KB
-
MD5
ed05d2c233a6a37bfbffd7b27c12d2b9
-
SHA1
221cfaece1b2b6a736f071b367a62d4f229e940e
-
SHA256
381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2
-
SHA512
465c3da441d3fc710213bc3793fb4ae36a22ab5b196a0309e4b2ce6b03796adfc53598ab562d3bf38aaf5b5d5e2ec44e02179a3621e0928810232437e6506296
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
themida
Detects Themida, Advanced Windows software protection system.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-