redline | d54358095f37e6a9786a5a8997a5d591a015934acefb9da85f79705d81ccdc6f

General

Target

FrkarR.exe
Size

6.8MB
MD5

f86cfbbb6316becace4efae11cdfd424
SHA1

9a27c693283aa2c9d91cb3a40e1bf392c3d42d51
SHA256

d54358095f37e6a9786a5a8997a5d591a015934acefb9da85f79705d81ccdc6f
SHA512

f0b27d490f5a9ee19a055c62995de035a81754d1201912c4e18a3e1b8a96b98df7395f4a12e7c3654cdade406480a51c3dd08cb2a8ee067a67655b017b0f187c

Score

10^/10

redline discovery evasion infostealer spyware stealer themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

@kitukrit_protected.sfx.exe@kitukrit_protected.exe

pid process

2472 @kitukrit_protected.sfx.exe
4000 @kitukrit_protected.exe

pid	process
2472	@kitukrit_protected.sfx.exe
4000	@kitukrit_protected.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

@kitukrit_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	@kitukrit_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	@kitukrit_protected.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe	themida
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe	themida
behavioral1/memory/4000-126-0x00000000008B0000-0x00000000008B1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

@kitukrit_protected.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA @kitukrit_protected.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

@kitukrit_protected.exe

pid process

4000 @kitukrit_protected.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

@kitukrit_protected.exe

pid process

4000 @kitukrit_protected.exe
4000 @kitukrit_protected.exe
4000 @kitukrit_protected.exe
4000 @kitukrit_protected.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

@kitukrit_protected.exe

description pid process

Token: SeDebugPrivilege 4000 @kitukrit_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	@kitukrit_protected.exe

pid	process
4000	@kitukrit_protected.exe

pid	process
4000	@kitukrit_protected.exe
4000	@kitukrit_protected.exe
4000	@kitukrit_protected.exe
4000	@kitukrit_protected.exe

description	pid	process
Token: SeDebugPrivilege	4000	@kitukrit_protected.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

FrkarR.exe@kitukrit_protected.sfx.exe

description	pid	process	target process
PID 2388 wrote to memory of 2472	2388	FrkarR.exe	@kitukrit_protected.sfx.exe
PID 2388 wrote to memory of 2472	2388	FrkarR.exe	@kitukrit_protected.sfx.exe
PID 2388 wrote to memory of 2472	2388	FrkarR.exe	@kitukrit_protected.sfx.exe
PID 2472 wrote to memory of 4000	2472	@kitukrit_protected.sfx.exe	@kitukrit_protected.exe
PID 2472 wrote to memory of 4000	2472	@kitukrit_protected.sfx.exe	@kitukrit_protected.exe
PID 2472 wrote to memory of 4000	2472	@kitukrit_protected.sfx.exe	@kitukrit_protected.exe

C:\Users\Admin\AppData\Local\Temp\FrkarR.exe
"C:\Users\Admin\AppData\Local\Temp\FrkarR.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe
"C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe
MD5
bdded61f4e676bf27febc09492b55108

SHA1
68cabc1095a7f94e6fcbdf04bbe78e61bad097c2

SHA256
790fb2ce697a68c7ac3734f345b2779b84100f3613954c5cf1b063bc21c67ab4

SHA512
dd81f40e3182ec45f276456655924700f9ff9c81679b8a5a42641b4fca1965d495ef3be50a94e0b6e291e08cbff452d6e18dedceff395e5e04bbd9692253a1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe
MD5
bdded61f4e676bf27febc09492b55108

SHA1
68cabc1095a7f94e6fcbdf04bbe78e61bad097c2

SHA256
790fb2ce697a68c7ac3734f345b2779b84100f3613954c5cf1b063bc21c67ab4

SHA512
dd81f40e3182ec45f276456655924700f9ff9c81679b8a5a42641b4fca1965d495ef3be50a94e0b6e291e08cbff452d6e18dedceff395e5e04bbd9692253a1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exe
MD5
e726f22e50e622b2ca5612e05a247525

SHA1
d11541d1f08fb6212ee60a30cb446821d2e36690

SHA256
2304084f7a8d97be4c6ae6e5cbac75478a04c4f63093f18bcf713f912a3da5d7

SHA512
aafed566df0333f783bc52f19951679a973e3c8396b68cc3dc5acc9f8f95684ceafcf113a27e0376f8531a9ccda3fb601080725109cfcb067b40151049336fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exe
MD5
e726f22e50e622b2ca5612e05a247525

SHA1
d11541d1f08fb6212ee60a30cb446821d2e36690

SHA256
2304084f7a8d97be4c6ae6e5cbac75478a04c4f63093f18bcf713f912a3da5d7

SHA512
aafed566df0333f783bc52f19951679a973e3c8396b68cc3dc5acc9f8f95684ceafcf113a27e0376f8531a9ccda3fb601080725109cfcb067b40151049336fad

Download Submit
memory/2472-116-0x0000000000000000-mapping.dmp

Download
memory/4000-130-0x0000000003D20000-0x0000000003D21000-memory.dmp

Filesize
4KB

Download
memory/4000-132-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/4000-126-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4000-128-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/4000-129-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/4000-121-0x0000000000000000-mapping.dmp

Download
memory/4000-131-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/4000-125-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/4000-133-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/4000-134-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/4000-135-0x00000000066C0000-0x0000000006BBE000-memory.dmp

Filesize
5.0MB

Download
memory/4000-136-0x00000000093F0000-0x00000000093F1000-memory.dmp

Filesize
4KB

Download
memory/4000-137-0x0000000009AF0000-0x0000000009AF1000-memory.dmp

Filesize
4KB

Download
memory/4000-138-0x0000000009290000-0x0000000009291000-memory.dmp

Filesize
4KB

Download
memory/4000-139-0x00000000096C0000-0x00000000096C1000-memory.dmp

Filesize
4KB

Download
memory/4000-140-0x0000000009760000-0x0000000009761000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads