General
-
Target
Sirus.exe
-
Size
5.4MB
-
Sample
210714-hbz8489zt6
-
MD5
5e4a3d8845f4f31e4d737877f0689b97
-
SHA1
69bdc176295e7899c4be7125a37bed5e94df051e
-
SHA256
60f649f6d971c44b959f6fef2bf1d08c3dbe00edeac7a889e81adc761ba5ddba
-
SHA512
7853f295f1167bf76ae2b207814c010be30f537909552c580782c2c45fbf7f954c32d39ffd2b4629c315b520fccffb264ad21e93384c94886ff9fa42d06b9e92
Static task
static1
Behavioral task
behavioral1
Sample
Sirus.exe
Resource
win7v20210408
Malware Config
Extracted
redline
444
185.237.165.42:61503
Targets
-
-
Target
Sirus.exe
-
Size
5.4MB
-
MD5
5e4a3d8845f4f31e4d737877f0689b97
-
SHA1
69bdc176295e7899c4be7125a37bed5e94df051e
-
SHA256
60f649f6d971c44b959f6fef2bf1d08c3dbe00edeac7a889e81adc761ba5ddba
-
SHA512
7853f295f1167bf76ae2b207814c010be30f537909552c580782c2c45fbf7f954c32d39ffd2b4629c315b520fccffb264ad21e93384c94886ff9fa42d06b9e92
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-