redline | a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e

General

Target

725e7cdd6e81b01e6ab7361fd080af6a.exe
Size

5.4MB
MD5

725e7cdd6e81b01e6ab7361fd080af6a
SHA1

3580c0afb395eed72d0bdd86a129563540f3634e
SHA256

a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
SHA512

ef080ab04b48f228ee5c003c07cfb05640fa0450e9a8f1ac7a652f80c9f9490153f49795daa044f5a57fac2448fb2c0237f076187114f546db255e7c221ba887

Score

10^/10

redline xmrig discovery evasion infostealer miner spyware stealer themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\servs.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\servs.exe	xmrig

Executes dropped EXE 3 IoCs

Processes:

evwws.exewlevs.exeservs.exe

pid process

2360 evwws.exe
812 wlevs.exe
3960 servs.exe

pid	process
2360	evwws.exe
812	wlevs.exe
3960	servs.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

725e7cdd6e81b01e6ab7361fd080af6a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	725e7cdd6e81b01e6ab7361fd080af6a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	725e7cdd6e81b01e6ab7361fd080af6a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

themida 1 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1032-4-0x00000000003F0000-0x00000000003F1000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

725e7cdd6e81b01e6ab7361fd080af6a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	725e7cdd6e81b01e6ab7361fd080af6a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

725e7cdd6e81b01e6ab7361fd080af6a.exe

pid process

1032 725e7cdd6e81b01e6ab7361fd080af6a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

725e7cdd6e81b01e6ab7361fd080af6a.exeservs.exe

pid process

1032 725e7cdd6e81b01e6ab7361fd080af6a.exe
3960 servs.exe
3960 servs.exe
3960 servs.exe
3960 servs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

725e7cdd6e81b01e6ab7361fd080af6a.exe

description pid process

Token: SeDebugPrivilege 1032 725e7cdd6e81b01e6ab7361fd080af6a.exe

pid	process
1032	725e7cdd6e81b01e6ab7361fd080af6a.exe

pid	process
1032	725e7cdd6e81b01e6ab7361fd080af6a.exe
3960	servs.exe
3960	servs.exe
3960	servs.exe
3960	servs.exe

description	pid	process
Token: SeDebugPrivilege	1032	725e7cdd6e81b01e6ab7361fd080af6a.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

725e7cdd6e81b01e6ab7361fd080af6a.exe

description	pid	process	target process
PID 1032 wrote to memory of 2360	1032	725e7cdd6e81b01e6ab7361fd080af6a.exe	evwws.exe
PID 1032 wrote to memory of 2360	1032	725e7cdd6e81b01e6ab7361fd080af6a.exe	evwws.exe
PID 1032 wrote to memory of 812	1032	725e7cdd6e81b01e6ab7361fd080af6a.exe	wlevs.exe
PID 1032 wrote to memory of 812	1032	725e7cdd6e81b01e6ab7361fd080af6a.exe	wlevs.exe
PID 1032 wrote to memory of 3960	1032	725e7cdd6e81b01e6ab7361fd080af6a.exe	servs.exe
PID 1032 wrote to memory of 3960	1032	725e7cdd6e81b01e6ab7361fd080af6a.exe	servs.exe

C:\Users\Admin\AppData\Local\Temp\725e7cdd6e81b01e6ab7361fd080af6a.exe
"C:\Users\Admin\AppData\Local\Temp\725e7cdd6e81b01e6ab7361fd080af6a.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\evwws.exe
"C:\Users\Admin\AppData\Local\Temp\evwws.exe"
2⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\AppData\Local\Temp\wlevs.exe
"C:\Users\Admin\AppData\Local\Temp\wlevs.exe"
2⤵
- Executes dropped EXE
PID:812

C:\Users\Admin\AppData\Local\Temp\servs.exe
"C:\Users\Admin\AppData\Local\Temp\servs.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evwws.exe
MD5
5558f586862478fba863c9f08b00a312

SHA1
ce323d81cee5b679dbeb3c992d8de16079a343ec

SHA256
56e2b09d32e75d09a6543d945d0a59905039dacb9c6a30f0332eb1d5b1d75380

SHA512
cc95b77a4e7d21294c0b59c06459a8d817927b33f66e33cd0f68ee8daab994335258b5a738efbf8bed082ed4a480736ec76cfe881700752fe983fec091c6d25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\evwws.exe
MD5
5558f586862478fba863c9f08b00a312

SHA1
ce323d81cee5b679dbeb3c992d8de16079a343ec

SHA256
56e2b09d32e75d09a6543d945d0a59905039dacb9c6a30f0332eb1d5b1d75380

SHA512
cc95b77a4e7d21294c0b59c06459a8d817927b33f66e33cd0f68ee8daab994335258b5a738efbf8bed082ed4a480736ec76cfe881700752fe983fec091c6d25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\servs.exe
MD5
099d181819dd32f9e89d7bc7afd8ee22

SHA1
c826d3afa43fe1d52dfce13b5cc002d1d0137681

SHA256
711f9480b179be2456835df08da8aa29a1024a0d652a0ec7cb75d7f8f44e07d8

SHA512
300d3d5c492978f141ba0621291520e8acc9cc15e54da14b00a4ebdae3376aba44d439eb8059b88c57d2f2a10e5956c8cfe6f9d2985f5b86e1a3d5a211cf3404

Download Submit
C:\Users\Admin\AppData\Local\Temp\servs.exe
MD5
099d181819dd32f9e89d7bc7afd8ee22

SHA1
c826d3afa43fe1d52dfce13b5cc002d1d0137681

SHA256
711f9480b179be2456835df08da8aa29a1024a0d652a0ec7cb75d7f8f44e07d8

SHA512
300d3d5c492978f141ba0621291520e8acc9cc15e54da14b00a4ebdae3376aba44d439eb8059b88c57d2f2a10e5956c8cfe6f9d2985f5b86e1a3d5a211cf3404

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlevs.exe
MD5
34afbbd143dff19b346039f0d2889914

SHA1
b998a5edfbc67a5a056b25e11a232b297433729b

SHA256
c031a29ab360685db6dd3980848661d0d12343b798b918aca4e8422ab880355e

SHA512
ea130936b4d70bf144217b0979aec4791939c4fc1474afd4bc63628b72c1d0b20c544c5781dc794e686afe695a9d72d642be4e1568d1ac39673f52fd7e7f1462

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlevs.exe
MD5
34afbbd143dff19b346039f0d2889914

SHA1
b998a5edfbc67a5a056b25e11a232b297433729b

SHA256
c031a29ab360685db6dd3980848661d0d12343b798b918aca4e8422ab880355e

SHA512
ea130936b4d70bf144217b0979aec4791939c4fc1474afd4bc63628b72c1d0b20c544c5781dc794e686afe695a9d72d642be4e1568d1ac39673f52fd7e7f1462

Download Submit
memory/812-30-0x0000028827E40000-0x0000028827E54000-memory.dmp

Filesize
80KB

Download
memory/812-24-0x0000000000000000-mapping.dmp

Download
memory/1032-10-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1032-9-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/1032-14-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/1032-15-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/1032-16-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/1032-17-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/1032-18-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/1032-19-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/1032-20-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1032-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1032-12-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/1032-11-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/1032-3-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/1032-13-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/1032-8-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/1032-6-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1032-7-0x0000000077D14000-0x0000000077D15000-memory.dmp

Filesize
4KB

Download
memory/2360-21-0x0000000000000000-mapping.dmp

Download
memory/3960-27-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads