Resubmissions
29-07-2021 15:09
210729-wzvqb879aa 1026-07-2021 20:08
210726-9lbbrtep2a 1026-07-2021 20:05
210726-bdzs4aydgx 9Analysis
-
max time kernel
121s -
max time network
164s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
29-07-2021 15:09
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7v20210410
General
-
Target
Setup.exe
-
Size
3.2MB
-
MD5
6a42e481e8c2f649a854b08cdaf73be4
-
SHA1
66d7883449483a44232053f77ed1701c3c3ac9e3
-
SHA256
3f4a6504fe8dc05ff75fe4a3bdf27eb509b2431ebaf4e189c23b9297ea300f19
-
SHA512
9d4b1d3ffafebf0faebe550f2d3064a1f515b908e049a5aca07b151d8bfe165d545f244bfd3960283a9310c18e50968834dc3fc471258ef8ddf7541e597d87be
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1308-62-0x0000000000150000-0x0000000000151000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1308 Setup.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1308 Setup.exe 1308 Setup.exe 1308 Setup.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1308 Setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308