Analysis
-
max time kernel
21s -
max time network
23s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-07-2021 22:59
Behavioral task
behavioral1
Sample
60aa3872c986eeacf55f0a0e935865a3.exe
Resource
win7v20210408
General
-
Target
60aa3872c986eeacf55f0a0e935865a3.exe
-
Size
3.0MB
-
MD5
60aa3872c986eeacf55f0a0e935865a3
-
SHA1
ceef478652b613149597a55cceb44d3c3c9aadc8
-
SHA256
b61afe14307f31673f7ca5970d1bc8226dc21ef34a3f71a549025bf5babb3e86
-
SHA512
fb9fc57b78a778cef221dc312a960986497b21176170c00292fa17e3f164365d69ccaf928fc7869ae3e8aaa91e6ddc7cd82839569439c139cc13dd879888da32
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
60aa3872c986eeacf55f0a0e935865a3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 60aa3872c986eeacf55f0a0e935865a3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 60aa3872c986eeacf55f0a0e935865a3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/484-61-0x0000000001110000-0x0000000001111000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
60aa3872c986eeacf55f0a0e935865a3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 60aa3872c986eeacf55f0a0e935865a3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
60aa3872c986eeacf55f0a0e935865a3.exepid process 484 60aa3872c986eeacf55f0a0e935865a3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
60aa3872c986eeacf55f0a0e935865a3.exepid process 484 60aa3872c986eeacf55f0a0e935865a3.exe 484 60aa3872c986eeacf55f0a0e935865a3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
60aa3872c986eeacf55f0a0e935865a3.exedescription pid process Token: SeDebugPrivilege 484 60aa3872c986eeacf55f0a0e935865a3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60aa3872c986eeacf55f0a0e935865a3.exe"C:\Users\Admin\AppData\Local\Temp\60aa3872c986eeacf55f0a0e935865a3.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken