a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8

Target

Size

879KB

Sample

220121-nec4maceb2

Score

10 ^/10

MD5

b1145a56bbeb10cb56f9482e6f0beea9

SHA1

e6d21a807cf01dffd4d03f63d816a21e9739fd6f

SHA256

a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8

SHA512

87d72557604d0d6c3ce163a54e43ae597f93556346d13acc5028bc4904c0ad823ded6b887b2e56c94dacbc297aacaf43be675c519f11550e1c48b6e31d43bfda

Target

a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8

MD5

b1145a56bbeb10cb56f9482e6f0beea9

Filesize

879KB

Score

10^/10

SHA1

e6d21a807cf01dffd4d03f63d816a21e9739fd6f

SHA256

a2169db0fe5dc66d6a207a3d7adfe163decda2922c1980fc6d67e0a10638f9f8

SHA512

87d72557604d0d6c3ce163a54e43ae597f93556346d13acc5028bc4904c0ad823ded6b887b2e56c94dacbc297aacaf43be675c519f11550e1c48b6e31d43bfda

Signatures

Modifies Windows Defender Real-time Protection settings
Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
RedLine
Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags

infostealer redline
RedLine Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Description

Detects executables packed with UPX/modified UPX open source packer.
Tags

upx
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Themida packer
Description

Detects Themida, an advanced Windows software protection system.
Tags

themida
Accesses cryptocurrency files/wallets, possible credential harvesting
Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Checks whether UAC is enabled
Tags

evasion trojan

TTPs

System Information Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral1

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

behavioral1

redline discovery evasion infostealer persistence spyware stealer themida trojan upx

10^/10

Tags

Signatures

Modifies Windows Defender Real-time Protection settings

Tags

TTPs

RedLine

Description

Tags

RedLine Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Tags

TTPs

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Description

Tags

Checks BIOS information in registry

Description

TTPs

Reads user/profile data of web browsers

Description

Tags

TTPs

Themida packer

Description

Tags

Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

TTPs

Adds Run key to start application

Tags

TTPs

Checks installed software on the system

Description

Tags

TTPs

Checks whether UAC is enabled

Tags

TTPs

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1