redline | 9fd72df8cc980ea1257a11c3e64acb9b004caa7670dbe36f021615ce636b567a

Analysis

max time kernel
56s
max time network
118s
platform
windows10_x64
resource
win10v20201028
submitted
11-03-2021 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Size

957KB
MD5

c9160a76ce50e71aac16e13adc88b002
SHA1

90a0dbf0d1455e1d50c2f9a7f43bddad4e2b28c3
SHA256

9fd72df8cc980ea1257a11c3e64acb9b004caa7670dbe36f021615ce636b567a
SHA512

6d9f3d5e13c5e08e5a1b38fb08f1dee630421dbd52269704ff3149c75f0811d90aa88ab6a78a215389fef64ac7c26a05bd262a12b3fb2a2cd8f8cdc4dee5c4bb

Score

10^/10

redline discovery evasion infostealer spyware stealer themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3960-15-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/3960-16-0x000000000041FA46-mapping.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

revs.exe

pid process

2060 revs.exe

pid	process
2060	revs.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

revs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	revs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	revs.exe

Drops startup file 1 IoCs

Processes:

revs.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe revs.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	revs.exe

themida 3 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\revs.exe	themida
C:\Users\Admin\AppData\Local\Temp\revs.exe	themida
behavioral2/memory/2060-40-0x00000000001B0000-0x00000000001B1000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

revs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA revs.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ipinfo.io
23 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

revs.exe

pid process

2060 revs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	revs.exe

flow	ioc
22	ipinfo.io
23	ipinfo.io

pid	process
2060	revs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

description	pid	process	target process
PID 3884 set thread context of 3960	3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

revs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	revs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	revs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

pid	process
3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
3960	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
3960	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exerevs.exe

description	pid	process
Token: SeDebugPrivilege	3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Token: SeDebugPrivilege	3960	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
Token: SeDebugPrivilege	2060	revs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exeSecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe

description	pid	process	target process
PID 3884 wrote to memory of 3960	3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 3884 wrote to memory of 3960	3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 3884 wrote to memory of 3960	3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 3884 wrote to memory of 3960	3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 3884 wrote to memory of 3960	3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 3884 wrote to memory of 3960	3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 3884 wrote to memory of 3960	3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 3884 wrote to memory of 3960	3884	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
PID 3960 wrote to memory of 2060	3960	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	revs.exe
PID 3960 wrote to memory of 2060	3960	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	revs.exe
PID 3960 wrote to memory of 2060	3960	SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe	revs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\revs.exe
"C:\Users\Admin\AppData\Local\Temp\revs.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PWS.Siggen2.61780.11290.1252.exe.log
MD5
01e4eba8e434fa7287c10d0aee40e222

SHA1
d1fafeae258aea82fb7ea75ef042e2bd54271604

SHA256
f64816ba4c3f141ec340b1b397399dfdccd60e5964a5d7ce769b486ca82d3ecc

SHA512
8735459ece63e69f5e573eaf75d75b49931a417a5f807e93235ed1ad97dac7a28e48071411eddad3890e83fca699ce208b26a64fed73cb6bf06e07399c1be185

Download Submit
C:\Users\Admin\AppData\Local\Temp\revs.exe
MD5
ee33281115a2970d784ab9731615fe31

SHA1
479d590f848f12ceca4e1170a0e0ce2e141f3cb8

SHA256
c56e6f80aa285705c1dc07d4dfa0183d525a39d5540dea942398899daa289b73

SHA512
e4695cb6abc5b9de4837a9100775dfb03bcdb4be3d838074d2f40f32a19416d17bc8688ecb82ddc1f95bc0cc29248ab8d100a7be24f58cadea1327addd101557

Download Submit
C:\Users\Admin\AppData\Local\Temp\revs.exe
MD5
ee33281115a2970d784ab9731615fe31

SHA1
479d590f848f12ceca4e1170a0e0ce2e141f3cb8

SHA256
c56e6f80aa285705c1dc07d4dfa0183d525a39d5540dea942398899daa289b73

SHA512
e4695cb6abc5b9de4837a9100775dfb03bcdb4be3d838074d2f40f32a19416d17bc8688ecb82ddc1f95bc0cc29248ab8d100a7be24f58cadea1327addd101557

Download Submit
memory/2060-42-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/2060-34-0x0000000000000000-mapping.dmp

Download
memory/2060-38-0x0000000077854000-0x0000000077855000-memory.dmp

Filesize
4KB

Download
memory/2060-39-0x0000000073AC0000-0x00000000741AE000-memory.dmp

Filesize
6.9MB

Download
memory/2060-40-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3884-7-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/3884-13-0x0000000009CE0000-0x0000000009CEB000-memory.dmp

Filesize
44KB

Download
memory/3884-14-0x000000000CCF0000-0x000000000CCF1000-memory.dmp

Filesize
4KB

Download
memory/3884-12-0x0000000005691000-0x0000000005692000-memory.dmp

Filesize
4KB

Download
memory/3884-11-0x0000000006E30000-0x0000000006E5F000-memory.dmp

Filesize
188KB

Download
memory/3884-9-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/3884-8-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/3884-6-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3884-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3884-5-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/3884-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3960-22-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/3960-26-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3960-29-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/3960-30-0x0000000006A40000-0x0000000006A41000-memory.dmp

Filesize
4KB

Download
memory/3960-31-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/3960-32-0x0000000008120000-0x0000000008121000-memory.dmp

Filesize
4KB

Download
memory/3960-25-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3960-24-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/3960-23-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3960-21-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/3960-18-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3960-16-0x000000000041FA46-mapping.dmp

Download
memory/3960-15-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download