Analysis
-
max time kernel
40s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-02-2021 19:14
Behavioral task
behavioral1
Sample
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
Resource
win10v20201028
General
-
Target
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
-
Size
2.6MB
-
MD5
7d5efe07472bd441a9d6b3eefc33008f
-
SHA1
bd2d32b6b2145489eb7cf1371315bf97661e7f86
-
SHA256
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca
-
SHA512
49e87152870ddecfc8695fce4d6c81d0bab0889be26c85a3b14b0abf1f60cb848f63c244fde55266c72d58ac1a2c7e38e633b828e8177dc64fbda2c8e003c7bb
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe -
Processes:
resource yara_rule behavioral1/memory/784-4-0x0000000000D80000-0x0000000000D81000-memory.dmp themida -
Processes:
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exedescription pid process Token: SeDebugPrivilege 784 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe"C:\Users\Admin\AppData\Local\Temp\291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:784