Overview

overview

10

Static

static

7

ef7568b962...51.exe

windows7_x64

10

ef7568b962...51.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    15-02-2022 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef7568b96269b4d6ad3eb511601eef749274d8fff7abd5df2b969f561cba9c51.exe

  • Size

    2.8MB

  • MD5

    7f588212000c34007cbcdbb0cbe729df

  • SHA1

    fb519d9d341abce47b77441869a4493042526e37

  • SHA256

    ef7568b96269b4d6ad3eb511601eef749274d8fff7abd5df2b969f561cba9c51

  • SHA512

    63fb89818adad0b4e79be191edb2153f4aeafa8ca247a6c8f23284007645d489ca4ffbd8799317ad35521633c1a99a7d04c0bdffc5f03cdaa55dd57b3cbffe54

Score
10/10
redlineevasioninfostealerthemidatrojan

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef7568b96269b4d6ad3eb511601eef749274d8fff7abd5df2b969f561cba9c51.exe
    "C:\Users\Admin\AppData\Local\Temp\ef7568b96269b4d6ad3eb511601eef749274d8fff7abd5df2b969f561cba9c51.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3184
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2520
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4468

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2520-141-0x0000019A12560000-0x0000019A12570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2520-142-0x0000019A12B20000-0x0000019A12B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2520-143-0x0000019A151A0000-0x0000019A151A4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3184-130-0x00000000755E0000-0x00000000755E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3184-131-0x0000000077274000-0x0000000077276000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3184-135-0x0000000000910000-0x000000000105E000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/3184-134-0x000000007480E000-0x000000007480F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3184-136-0x0000000005FC0000-0x00000000065D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3184-137-0x00000000058C0000-0x00000000058D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3184-138-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3184-139-0x0000000005920000-0x000000000595C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3184-140-0x0000000005990000-0x0000000005991000-memory.dmp

    Filesize

    4KB

    Download