redline | c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54

Analysis

max time kernel
152s
max time network
161s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-02-2022 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe
Size

5.9MB
MD5

9a16a4046cc7bdd869231f836438e76b
SHA1

46e1633c6598b9297b2ec46f740d6da114c31a56
SHA256

c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54
SHA512

e682ceae529f3c86ffb3427f877f2abd2b6446daadd7469a16fc0be7f08a45845680589a55d2bd0c6fadb80ecff08155a8dfe5fc50b47396c475e587488b8317

Score

10^/10

redline evasion infostealer themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/648-72-0x0000000000350000-0x0000000000A9E000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 3 IoCs

Processes:

proliv06111.exeUnderdress.exeUnseduceability.exe

pid process

648 proliv06111.exe
616 Underdress.exe
1308 Unseduceability.exe

pid	process
648	proliv06111.exe
616	Underdress.exe
1308	Unseduceability.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

proliv06111.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	proliv06111.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	proliv06111.exe

Loads dropped DLL 4 IoCs

Processes:

c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exeUnderdress.exe

pid	process
1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe
1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe
616	Underdress.exe
616	Underdress.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\proliv06111.exe	themida
C:\Users\Admin\AppData\Roaming\proliv06111.exe	themida
behavioral1/memory/648-72-0x0000000000350000-0x0000000000A9E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

proliv06111.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA proliv06111.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

proliv06111.exe

pid process

648 proliv06111.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

proliv06111.exe

pid process

648 proliv06111.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	proliv06111.exe

pid	process
648	proliv06111.exe

pid	process
648	proliv06111.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exeUnderdress.exe

description	pid	process	target process
PID 1552 wrote to memory of 648	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	proliv06111.exe
PID 1552 wrote to memory of 648	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	proliv06111.exe
PID 1552 wrote to memory of 648	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	proliv06111.exe
PID 1552 wrote to memory of 648	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	proliv06111.exe
PID 1552 wrote to memory of 616	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	Underdress.exe
PID 1552 wrote to memory of 616	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	Underdress.exe
PID 1552 wrote to memory of 616	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	Underdress.exe
PID 1552 wrote to memory of 616	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	Underdress.exe
PID 1552 wrote to memory of 616	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	Underdress.exe
PID 1552 wrote to memory of 616	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	Underdress.exe
PID 1552 wrote to memory of 616	1552	c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe	Underdress.exe
PID 616 wrote to memory of 1308	616	Underdress.exe	Unseduceability.exe
PID 616 wrote to memory of 1308	616	Underdress.exe	Unseduceability.exe
PID 616 wrote to memory of 1308	616	Underdress.exe	Unseduceability.exe
PID 616 wrote to memory of 1308	616	Underdress.exe	Unseduceability.exe

C:\Users\Admin\AppData\Local\Temp\c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe
"C:\Users\Admin\AppData\Local\Temp\c9a7a2c5c72405bd331e9087ec23a14e744c52fe47e13e38a251c35092cdbd54.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Roaming\proliv06111.exe
  C:\Users\Admin\AppData\Roaming\proliv06111.exe
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:648
- C:\Users\Admin\AppData\Roaming\Underdress.exe
  C:\Users\Admin\AppData\Roaming\Underdress.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
    "C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"
    3⤵
    - Executes dropped EXE
    PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
C:\Users\Admin\AppData\Roaming\Underdress.exe

MD5
98f60434f7be5433b37cd47ec5029537

SHA1
1bb8e44edde75b6f346d8997106efe57eba9e3ef

SHA256
c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

SHA512
df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Underdress.exe

MD5
98f60434f7be5433b37cd47ec5029537

SHA1
1bb8e44edde75b6f346d8997106efe57eba9e3ef

SHA256
c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

SHA512
df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

Download Submit
C:\Users\Admin\AppData\Roaming\proliv06111.exe

MD5
172262941afe5b4b5a2b76906925a8d0

SHA1
c1be1aa09279aa1249409cb9eda7b0fd5689b0fb

SHA256
c9f6b9ddc754f5e29a33fbde267374329927f47454904d11ee117aef39585f60

SHA512
341c14acdbd8145c0f0b074b07151215e38fb45b10abaa5e8de16bc836377fa6ff60e06623e1ba8b270b780f2f712f3c0df8874f67ae26dcfd8a35fef2e6a079

Download Submit
\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
\Users\Admin\AppData\Roaming\Underdress.exe

MD5
98f60434f7be5433b37cd47ec5029537

SHA1
1bb8e44edde75b6f346d8997106efe57eba9e3ef

SHA256
c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

SHA512
df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

Download Submit
\Users\Admin\AppData\Roaming\proliv06111.exe

MD5
172262941afe5b4b5a2b76906925a8d0

SHA1
c1be1aa09279aa1249409cb9eda7b0fd5689b0fb

SHA256
c9f6b9ddc754f5e29a33fbde267374329927f47454904d11ee117aef39585f60

SHA512
341c14acdbd8145c0f0b074b07151215e38fb45b10abaa5e8de16bc836377fa6ff60e06623e1ba8b270b780f2f712f3c0df8874f67ae26dcfd8a35fef2e6a079

Download Submit
memory/648-71-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/648-59-0x00000000768C1000-0x00000000768C2000-memory.dmp

Filesize
4KB

Download
memory/648-64-0x00000000768C1000-0x00000000768C2000-memory.dmp

Filesize
4KB

Download
memory/648-81-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/648-72-0x0000000000350000-0x0000000000A9E000-memory.dmp

Filesize
7.3MB

Download
memory/648-65-0x000000007583E000-0x000000007583F000-memory.dmp

Filesize
4KB

Download
memory/648-61-0x000000007583E000-0x000000007583F000-memory.dmp

Filesize
4KB

Download
memory/648-66-0x0000000077BF0000-0x0000000077BF2000-memory.dmp

Filesize
8KB

Download
memory/648-60-0x00000000768C4000-0x00000000768C5000-memory.dmp

Filesize
4KB

Download
memory/1308-77-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

Filesize
4KB

Download
memory/1308-78-0x0000000000260000-0x00000000005C8000-memory.dmp

Filesize
3.4MB

Download
memory/1308-79-0x000000001C5B0000-0x000000001C8A0000-memory.dmp

Filesize
2.9MB

Download
memory/1308-80-0x000000001C090000-0x000000001C092000-memory.dmp

Filesize
8KB

Download
memory/1308-82-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/1552-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download