Analysis
-
max time kernel
24s -
max time network
23s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-03-2021 16:55
Static task
static1
Behavioral task
behavioral1
Sample
29d0bf8a76f51a9ec7d39f90cd7a5f57.exe
Resource
win7v20201028
General
-
Target
29d0bf8a76f51a9ec7d39f90cd7a5f57.exe
-
Size
5.1MB
-
MD5
29d0bf8a76f51a9ec7d39f90cd7a5f57
-
SHA1
d954337798846a9b8fb2609f94f287dbe63a03f8
-
SHA256
7fb4f8f5f89b3fb2a4e9a6605763436ebb679198ee5ebbcde8972bb1e20a8da5
-
SHA512
7020b1b21b27674d7a6d1b4b9708161818eecca8f743a37bcb80371e12d7452d522a65672529e41d392007e94427726ac60a6e6f87cf9f8c5cc1f09bf1a675ea
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/384-7-0x0000000002EB0000-0x0000000002ED9000-memory.dmp family_redline behavioral1/memory/384-11-0x0000000003030000-0x0000000003058000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
29d0bf8a76f51a9ec7d39f90cd7a5f57.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 29d0bf8a76f51a9ec7d39f90cd7a5f57.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 29d0bf8a76f51a9ec7d39f90cd7a5f57.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/384-3-0x0000000000400000-0x0000000000F1E000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
29d0bf8a76f51a9ec7d39f90cd7a5f57.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 29d0bf8a76f51a9ec7d39f90cd7a5f57.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
29d0bf8a76f51a9ec7d39f90cd7a5f57.exepid process 384 29d0bf8a76f51a9ec7d39f90cd7a5f57.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
29d0bf8a76f51a9ec7d39f90cd7a5f57.exepid process 384 29d0bf8a76f51a9ec7d39f90cd7a5f57.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
29d0bf8a76f51a9ec7d39f90cd7a5f57.exedescription pid process Token: SeDebugPrivilege 384 29d0bf8a76f51a9ec7d39f90cd7a5f57.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29d0bf8a76f51a9ec7d39f90cd7a5f57.exe"C:\Users\Admin\AppData\Local\Temp\29d0bf8a76f51a9ec7d39f90cd7a5f57.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/384-2-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/384-3-0x0000000000400000-0x0000000000F1E000-memory.dmpFilesize
11.1MB
-
memory/384-4-0x0000000000401000-0x000000000041B000-memory.dmpFilesize
104KB
-
memory/384-5-0x0000000002C20000-0x0000000002C31000-memory.dmpFilesize
68KB
-
memory/384-6-0x0000000074310000-0x00000000749FE000-memory.dmpFilesize
6.9MB
-
memory/384-7-0x0000000002EB0000-0x0000000002ED9000-memory.dmpFilesize
164KB
-
memory/384-8-0x0000000005411000-0x0000000005412000-memory.dmpFilesize
4KB
-
memory/384-9-0x0000000005412000-0x0000000005413000-memory.dmpFilesize
4KB
-
memory/384-10-0x0000000005413000-0x0000000005414000-memory.dmpFilesize
4KB
-
memory/384-11-0x0000000003030000-0x0000000003058000-memory.dmpFilesize
160KB
-
memory/384-12-0x0000000005414000-0x0000000005416000-memory.dmpFilesize
8KB