Analysis
-
max time kernel
23s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 12:22
General
-
Target
df882019f27f70c1048701cfba8b61c03417fbe29525cb8debea6815b96423d4.exe
-
Size
3.3MB
-
MD5
10b704043c5830e1e8cd977676b95738
-
SHA1
33f4164c2705d691b6cf59a4a834b5747e22d4d1
-
SHA256
df882019f27f70c1048701cfba8b61c03417fbe29525cb8debea6815b96423d4
-
SHA512
dec5dcfec3138ecf14f2d1129fbc2967b00522cd8b331f9456604575e4f0115c2d53c3b0df88a06edb3e6baac6a1939aedeec3a43697b334b4dac7694e442888
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\df882019f27f70c1048701cfba8b61c03417fbe29525cb8debea6815b96423d4.exe"C:\Users\Admin\AppData\Local\Temp\df882019f27f70c1048701cfba8b61c03417fbe29525cb8debea6815b96423d4.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-115-0x0000000077BB0000-0x0000000077D3E000-memory.dmpFilesize
1.6MB
-
memory/1096-116-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/1096-118-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/1096-119-0x0000000005C30000-0x0000000005C31000-memory.dmpFilesize
4KB
-
memory/1096-120-0x0000000005CC0000-0x0000000005CC1000-memory.dmpFilesize
4KB
-
memory/1096-121-0x0000000005C70000-0x0000000005C71000-memory.dmpFilesize
4KB
-
memory/1096-122-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/1096-123-0x0000000005E80000-0x0000000005E81000-memory.dmpFilesize
4KB
-
memory/1096-124-0x0000000007080000-0x0000000007081000-memory.dmpFilesize
4KB
-
memory/1096-125-0x0000000007780000-0x0000000007781000-memory.dmpFilesize
4KB
-
memory/1096-126-0x0000000007010000-0x0000000007011000-memory.dmpFilesize
4KB
-
memory/1096-127-0x0000000007420000-0x0000000007421000-memory.dmpFilesize
4KB
-
memory/1096-128-0x0000000007590000-0x0000000007591000-memory.dmpFilesize
4KB
-
memory/1096-129-0x00000000081B0000-0x00000000081B1000-memory.dmpFilesize
4KB
-
memory/1096-130-0x0000000007570000-0x0000000007571000-memory.dmpFilesize
4KB