Overview

overview

10

Static

static

7

Sirus.exe

windows7_x64

9

Sirus.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Sirus.exe

  • Size

    5.4MB

  • Sample

    210714-hbz8489zt6

  • MD5

    5e4a3d8845f4f31e4d737877f0689b97

  • SHA1

    69bdc176295e7899c4be7125a37bed5e94df051e

  • SHA256

    60f649f6d971c44b959f6fef2bf1d08c3dbe00edeac7a889e81adc761ba5ddba

  • SHA512

    7853f295f1167bf76ae2b207814c010be30f537909552c580782c2c45fbf7f954c32d39ffd2b4629c315b520fccffb264ad21e93384c94886ff9fa42d06b9e92

Score
10/10
redline444discoveryevasioninfostealerspywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

444

C2

185.237.165.42:61503

Targets

    • Target

      Sirus.exe

    • Size

      5.4MB

    • MD5

      5e4a3d8845f4f31e4d737877f0689b97

    • SHA1

      69bdc176295e7899c4be7125a37bed5e94df051e

    • SHA256

      60f649f6d971c44b959f6fef2bf1d08c3dbe00edeac7a889e81adc761ba5ddba

    • SHA512

      7853f295f1167bf76ae2b207814c010be30f537909552c580782c2c45fbf7f954c32d39ffd2b4629c315b520fccffb264ad21e93384c94886ff9fa42d06b9e92

    Score
    10/10
    evasionthemidatrojanredline444discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks