General
-
Target
331064627d4361c3f3e3ba15d4d75afc.exe
-
Size
1.1MB
-
Sample
210313-ptwx49mrta
-
MD5
331064627d4361c3f3e3ba15d4d75afc
-
SHA1
090fa5f883dcd45de13f2a7896748925e26630ee
-
SHA256
9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea
-
SHA512
aa87f34aa129eef8dc3eabbf9c097161779c6580add5f694e0c779d3f9e9ba369765e05c3ab1816765bbad43cf78ac04cb5af8db9838742710b0b4aa17481df0
Static task
static1
Behavioral task
behavioral1
Sample
331064627d4361c3f3e3ba15d4d75afc.exe
Resource
win7v20201028
Malware Config
Targets
-
-
Target
331064627d4361c3f3e3ba15d4d75afc.exe
-
Size
1.1MB
-
MD5
331064627d4361c3f3e3ba15d4d75afc
-
SHA1
090fa5f883dcd45de13f2a7896748925e26630ee
-
SHA256
9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea
-
SHA512
aa87f34aa129eef8dc3eabbf9c097161779c6580add5f694e0c779d3f9e9ba369765e05c3ab1816765bbad43cf78ac04cb5af8db9838742710b0b4aa17481df0
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Modifies file permissions
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Virtualization/Sandbox Evasion
2File Permissions Modification
1Install Root Certificate
1Modify Registry
1