Analysis
-
max time kernel
19s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 08:00
General
-
Target
70d34f5f6c1eb08f1dcc534a2c3eea81.exe
-
Size
4.4MB
-
MD5
70d34f5f6c1eb08f1dcc534a2c3eea81
-
SHA1
94bc98926077108bdd80856ff10c31bb159adebe
-
SHA256
76acd8a497e85765a133bdd3c90cb26d257f029c45d73c52b4effc06f94a2555
-
SHA512
2af35b87a280f0d66cb4df7ba9543de6ffa4ee912499d53ec507da0523fe6006eae45ddb569aee9d7e026e284f3edb4d30386049fb9b807e5b3e84e200a6c833
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\70d34f5f6c1eb08f1dcc534a2c3eea81.exe"C:\Users\Admin\AppData\Local\Temp\70d34f5f6c1eb08f1dcc534a2c3eea81.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3200-115-0x0000000077CD0000-0x0000000077E5E000-memory.dmpFilesize
1.6MB
-
memory/3200-116-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/3200-118-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/3200-119-0x00000000041F0000-0x00000000041F1000-memory.dmpFilesize
4KB
-
memory/3200-120-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/3200-121-0x0000000006440000-0x0000000006441000-memory.dmpFilesize
4KB
-
memory/3200-122-0x0000000006710000-0x0000000006711000-memory.dmpFilesize
4KB
-
memory/3200-123-0x00000000064A0000-0x00000000064A1000-memory.dmpFilesize
4KB
-
memory/3200-124-0x0000000007700000-0x0000000007701000-memory.dmpFilesize
4KB
-
memory/3200-125-0x0000000007E00000-0x0000000007E01000-memory.dmpFilesize
4KB
-
memory/3200-126-0x00000000078D0000-0x00000000078D1000-memory.dmpFilesize
4KB
-
memory/3200-127-0x0000000007B00000-0x0000000007B01000-memory.dmpFilesize
4KB
-
memory/3200-128-0x0000000008830000-0x0000000008831000-memory.dmpFilesize
4KB