Analysis
-
max time kernel
16s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-07-2021 22:59
General
-
Target
60aa3872c986eeacf55f0a0e935865a3.exe
-
Size
3.0MB
-
MD5
60aa3872c986eeacf55f0a0e935865a3
-
SHA1
ceef478652b613149597a55cceb44d3c3c9aadc8
-
SHA256
b61afe14307f31673f7ca5970d1bc8226dc21ef34a3f71a549025bf5babb3e86
-
SHA512
fb9fc57b78a778cef221dc312a960986497b21176170c00292fa17e3f164365d69ccaf928fc7869ae3e8aaa91e6ddc7cd82839569439c139cc13dd879888da32
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\60aa3872c986eeacf55f0a0e935865a3.exe"C:\Users\Admin\AppData\Local\Temp\60aa3872c986eeacf55f0a0e935865a3.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4024-115-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/4024-117-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/4024-118-0x0000000077DD0000-0x0000000077F5E000-memory.dmpFilesize
1.6MB
-
memory/4024-119-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/4024-120-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/4024-121-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/4024-122-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/4024-123-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/4024-124-0x0000000006870000-0x0000000006871000-memory.dmpFilesize
4KB
-
memory/4024-125-0x0000000006F70000-0x0000000006F71000-memory.dmpFilesize
4KB
-
memory/4024-126-0x0000000006A40000-0x0000000006A41000-memory.dmpFilesize
4KB
-
memory/4024-127-0x0000000006C50000-0x0000000006C51000-memory.dmpFilesize
4KB
-
memory/4024-128-0x00000000079A0000-0x00000000079A1000-memory.dmpFilesize
4KB