redline | 9fd72df8cc980ea1257a11c3e64acb9b004caa7670dbe36f021615ce636b567a

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7v20201028
submitted
11-03-2021 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Size

957KB
MD5

c9160a76ce50e71aac16e13adc88b002
SHA1

90a0dbf0d1455e1d50c2f9a7f43bddad4e2b28c3
SHA256

9fd72df8cc980ea1257a11c3e64acb9b004caa7670dbe36f021615ce636b567a
SHA512

6d9f3d5e13c5e08e5a1b38fb08f1dee630421dbd52269704ff3149c75f0811d90aa88ab6a78a215389fef64ac7c26a05bd262a12b3fb2a2cd8f8cdc4dee5c4bb

Score

10^/10

redline discovery evasion infostealer spyware stealer themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1660-10-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/1660-11-0x000000000041FA46-mapping.dmp	family_redline
behavioral1/memory/1660-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

revs.exe

pid process

1984 revs.exe

pid	process
1984	revs.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

revs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	revs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	revs.exe

Drops startup file 1 IoCs

Processes:

revs.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe revs.exe
Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

pid process

1660 SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	revs.exe

pid	process
1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

themida 4 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\revs.exe	themida
C:\Users\Admin\AppData\Local\Temp\revs.exe	themida
behavioral1/memory/1984-22-0x0000000000A10000-0x0000000000A11000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\revs.exe	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

revs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA revs.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

revs.exe

pid process

1984 revs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	revs.exe

pid	process
1984	revs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

description	pid	process	target process
PID 1872 set thread context of 1660	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

revs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	revs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	revs.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

pid	process
1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exerevs.exe

description	pid	process
Token: SeDebugPrivilege	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Token: SeDebugPrivilege	1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Token: SeDebugPrivilege	1984	revs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

description	pid	process	target process
PID 1872 wrote to memory of 1660	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 1872 wrote to memory of 1660	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 1872 wrote to memory of 1660	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 1872 wrote to memory of 1660	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 1872 wrote to memory of 1660	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 1872 wrote to memory of 1660	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 1872 wrote to memory of 1660	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 1872 wrote to memory of 1660	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 1872 wrote to memory of 1660	1872	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 1660 wrote to memory of 1984	1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	revs.exe
PID 1660 wrote to memory of 1984	1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	revs.exe
PID 1660 wrote to memory of 1984	1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	revs.exe
PID 1660 wrote to memory of 1984	1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	revs.exe
PID 1660 wrote to memory of 1984	1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	revs.exe
PID 1660 wrote to memory of 1984	1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	revs.exe
PID 1660 wrote to memory of 1984	1660	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	revs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"
2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\revs.exe
"C:\Users\Admin\AppData\Local\Temp\revs.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
61a03d15cf62612f50b74867090dbe79

SHA1
15228f34067b4b107e917bebaf17cc7c3c1280a8

SHA256
f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

SHA512
5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
12f238b64d648218ac028db1b8f78ec5

SHA1
d673ea801ef731da265e2f4132415538bddd1f1c

SHA256
7a7a2ac800e2a7f0f695e54d60442f22a9473c6acbfc24e7bdb3ee8efd50fd35

SHA512
2314be1638493e7f4fabf0c9f383df4cfd45d77bc1290fa0f714cb572803bf7b6fed9a814a4c274e492f98ebd7bca3c6977cb20a2a030599af62b36277eef725

Download Submit
C:\Users\Admin\AppData\Local\Temp\revs.exe
MD5
ee33281115a2970d784ab9731615fe31

SHA1
479d590f848f12ceca4e1170a0e0ce2e141f3cb8

SHA256
c56e6f80aa285705c1dc07d4dfa0183d525a39d5540dea942398899daa289b73

SHA512
e4695cb6abc5b9de4837a9100775dfb03bcdb4be3d838074d2f40f32a19416d17bc8688ecb82ddc1f95bc0cc29248ab8d100a7be24f58cadea1327addd101557

Download Submit
C:\Users\Admin\AppData\Local\Temp\revs.exe
MD5
ee33281115a2970d784ab9731615fe31

SHA1
479d590f848f12ceca4e1170a0e0ce2e141f3cb8

SHA256
c56e6f80aa285705c1dc07d4dfa0183d525a39d5540dea942398899daa289b73

SHA512
e4695cb6abc5b9de4837a9100775dfb03bcdb4be3d838074d2f40f32a19416d17bc8688ecb82ddc1f95bc0cc29248ab8d100a7be24f58cadea1327addd101557

Download Submit
\Users\Admin\AppData\Local\Temp\revs.exe
MD5
ee33281115a2970d784ab9731615fe31

SHA1
479d590f848f12ceca4e1170a0e0ce2e141f3cb8

SHA256
c56e6f80aa285705c1dc07d4dfa0183d525a39d5540dea942398899daa289b73

SHA512
e4695cb6abc5b9de4837a9100775dfb03bcdb4be3d838074d2f40f32a19416d17bc8688ecb82ddc1f95bc0cc29248ab8d100a7be24f58cadea1327addd101557

Download Submit
memory/1660-15-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1660-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1660-11-0x000000000041FA46-mapping.dmp

Download
memory/1660-12-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1872-9-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1872-2-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/1872-8-0x00000000006F0000-0x00000000006FB000-memory.dmp

Filesize
44KB

Download
memory/1872-7-0x0000000001F10000-0x0000000001F3F000-memory.dmp

Filesize
188KB

Download
memory/1872-5-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1872-3-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-17-0x0000000000000000-mapping.dmp

Download
memory/1984-19-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1984-21-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/1984-22-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1984-24-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download