redline | ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950

Analysis

max time kernel
144s
max time network
158s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-02-2022 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe
Size

6.4MB
MD5

1008944bf8de596e9d032ab66a46caa7
SHA1

cc411e0c3b2a7ef3e02618bdab39d9a023f0569d
SHA256

ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950
SHA512

67e9d1d78fa1a32b53f59c3a21846cb125b5f9d79acd56eb8357cd04aec754418a430b11287f106177439c49e9df08e72d5fab2e2ff1b7927cf2c48934ca393d

Score

10^/10

redline evasion infostealer themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1620-72-0x00000000013E0000-0x0000000001BA0000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 4 IoCs

Processes:

proliv041.exeUnderdress.exeUnseduceability.exe

pid process

1620 proliv041.exe
864 Underdress.exe
1236 Unseduceability.exe
1360

pid	process
1620	proliv041.exe
864	Underdress.exe
1236	Unseduceability.exe
1360

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

proliv041.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	proliv041.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	proliv041.exe

Loads dropped DLL 9 IoCs

Processes:

ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exeUnderdress.exeWerFault.exe

pid	process
764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe
764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe
864	Underdress.exe
864	Underdress.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\proliv041.exe	themida
C:\Users\Admin\AppData\Roaming\proliv041.exe	themida
behavioral1/memory/1620-72-0x00000000013E0000-0x0000000001BA0000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

proliv041.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA proliv041.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

proliv041.exe

pid process

1620 proliv041.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1728 1236 WerFault.exe Unseduceability.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

proliv041.exeWerFault.exe

pid process

1620 proliv041.exe
1728 WerFault.exe
1728 WerFault.exe
1728 WerFault.exe
1728 WerFault.exe
1728 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1728 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Unseduceability.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1236 Unseduceability.exe
Token: SeDebugPrivilege 1728 WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	proliv041.exe

pid	process
1620	proliv041.exe

pid	pid_target	process	target process
1728	1236	WerFault.exe	Unseduceability.exe

pid	process
1620	proliv041.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe

pid	process
1728	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1236	Unseduceability.exe
Token: SeDebugPrivilege	1728	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exeUnderdress.exeUnseduceability.exe

description	pid	process	target process
PID 764 wrote to memory of 1620	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	proliv041.exe
PID 764 wrote to memory of 1620	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	proliv041.exe
PID 764 wrote to memory of 1620	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	proliv041.exe
PID 764 wrote to memory of 1620	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	proliv041.exe
PID 764 wrote to memory of 864	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	Underdress.exe
PID 764 wrote to memory of 864	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	Underdress.exe
PID 764 wrote to memory of 864	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	Underdress.exe
PID 764 wrote to memory of 864	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	Underdress.exe
PID 764 wrote to memory of 864	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	Underdress.exe
PID 764 wrote to memory of 864	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	Underdress.exe
PID 764 wrote to memory of 864	764	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	Underdress.exe
PID 864 wrote to memory of 1236	864	Underdress.exe	Unseduceability.exe
PID 864 wrote to memory of 1236	864	Underdress.exe	Unseduceability.exe
PID 864 wrote to memory of 1236	864	Underdress.exe	Unseduceability.exe
PID 864 wrote to memory of 1236	864	Underdress.exe	Unseduceability.exe
PID 1236 wrote to memory of 1728	1236	Unseduceability.exe	WerFault.exe
PID 1236 wrote to memory of 1728	1236	Unseduceability.exe	WerFault.exe
PID 1236 wrote to memory of 1728	1236	Unseduceability.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe
"C:\Users\Admin\AppData\Local\Temp\ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Roaming\proliv041.exe
  C:\Users\Admin\AppData\Roaming\proliv041.exe
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Users\Admin\AppData\Roaming\Underdress.exe
  C:\Users\Admin\AppData\Roaming\Underdress.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
    "C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1236 -s 872
      4⤵
      Loads dropped DLL
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
C:\Users\Admin\AppData\Roaming\Underdress.exe

MD5
98f60434f7be5433b37cd47ec5029537

SHA1
1bb8e44edde75b6f346d8997106efe57eba9e3ef

SHA256
c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

SHA512
df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Underdress.exe

MD5
98f60434f7be5433b37cd47ec5029537

SHA1
1bb8e44edde75b6f346d8997106efe57eba9e3ef

SHA256
c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

SHA512
df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

Download Submit
C:\Users\Admin\AppData\Roaming\proliv041.exe

MD5
95c9346936c5c633e7921950127049d6

SHA1
73f85b8663892657610d581e9529bd6e9342c0a8

SHA256
dccdfc1c0e6a10d9a3dd9ef2d07097f754dd4781d942ddebd9abed9559f8677d

SHA512
5a698d8ae664321a0ae006d103d41c89efdbba60edda1e752fc292c4173688c2855cb2dc88a2c236499339dee70b09cfc620c2f7fbb0330dcf2eff9f0a502866

Download Submit
\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
\Users\Admin\AppData\Roaming\Underdress.exe

MD5
98f60434f7be5433b37cd47ec5029537

SHA1
1bb8e44edde75b6f346d8997106efe57eba9e3ef

SHA256
c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

SHA512
df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

Download Submit
\Users\Admin\AppData\Roaming\proliv041.exe

MD5
95c9346936c5c633e7921950127049d6

SHA1
73f85b8663892657610d581e9529bd6e9342c0a8

SHA256
dccdfc1c0e6a10d9a3dd9ef2d07097f754dd4781d942ddebd9abed9559f8677d

SHA512
5a698d8ae664321a0ae006d103d41c89efdbba60edda1e752fc292c4173688c2855cb2dc88a2c236499339dee70b09cfc620c2f7fbb0330dcf2eff9f0a502866

Download Submit
memory/764-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1236-82-0x0000000022E10000-0x00000000230F4000-memory.dmp

Filesize
2.9MB

Download
memory/1236-84-0x0000000076CF0000-0x0000000076E99000-memory.dmp

Filesize
1.7MB

Download
memory/1236-91-0x0000000076CF1000-0x0000000076DF2000-memory.dmp

Filesize
1.0MB

Download
memory/1236-78-0x000000001C740000-0x000000001CA30000-memory.dmp

Filesize
2.9MB

Download
memory/1236-79-0x0000000000570000-0x000000000058A000-memory.dmp

Filesize
104KB

Download
memory/1236-80-0x000000001C1E0000-0x000000001C1E2000-memory.dmp

Filesize
8KB

Download
memory/1236-81-0x000000001C1E6000-0x000000001C205000-memory.dmp

Filesize
124KB

Download
memory/1236-90-0x000000001C205000-0x000000001C206000-memory.dmp

Filesize
4KB

Download
memory/1236-83-0x0000000023100000-0x0000000023312000-memory.dmp

Filesize
2.1MB

Download
memory/1236-76-0x0000000000E20000-0x0000000001188000-memory.dmp

Filesize
3.4MB

Download
memory/1236-75-0x000007FEF4C53000-0x000007FEF4C54000-memory.dmp

Filesize
4KB

Download
memory/1620-61-0x0000000074D11000-0x0000000074D12000-memory.dmp

Filesize
4KB

Download
memory/1620-62-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/1620-63-0x0000000074D14000-0x0000000074D15000-memory.dmp

Filesize
4KB

Download
memory/1620-69-0x0000000073A3E000-0x0000000073A3F000-memory.dmp

Filesize
4KB

Download
memory/1620-77-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/1620-72-0x00000000013E0000-0x0000000001BA0000-memory.dmp

Filesize
7.8MB

Download
memory/1620-64-0x0000000076EE0000-0x0000000076EE2000-memory.dmp

Filesize
8KB

Download
memory/1728-85-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

Filesize
8KB

Download
memory/1728-94-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download