Overview

overview

10

Static

static

7

90be6ac311...1c.exe

windows7_x64

10

90be6ac311...1c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    15-02-2022 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90be6ac311a6ba3a3cf50f3fb4c39d67ead054ef3b23ff98866faba74e6fc61c.exe

  • Size

    5.1MB

  • MD5

    2a546fbb6001f5824e78096255282da9

  • SHA1

    5193501158de8a32bc0d91915e6f9a2af9f342ab

  • SHA256

    90be6ac311a6ba3a3cf50f3fb4c39d67ead054ef3b23ff98866faba74e6fc61c

  • SHA512

    da40f932a4a64d24feba65011e7b90a4a4c7b80069613564e6f89a17f216d0eced1805c99471ff2ba8d8d16355516a02afb001710485e0c09a06a999f67aa25a

Score
10/10
redline@sc4lly1337evasioninfostealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

@sc4lly1337

C2

185.215.113.83:60722

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90be6ac311a6ba3a3cf50f3fb4c39d67ead054ef3b23ff98866faba74e6fc61c.exe
    "C:\Users\Admin\AppData\Local\Temp\90be6ac311a6ba3a3cf50f3fb4c39d67ead054ef3b23ff98866faba74e6fc61c.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1892

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1892-54-0x0000000076C61000-0x0000000076C63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1892-57-0x00000000764B4000-0x00000000764B5000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1892-56-0x00000000764B1000-0x00000000764B2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1892-59-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1892-58-0x0000000076BEE000-0x0000000076BEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1892-60-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1892-61-0x0000000000D40000-0x0000000001A74000-memory.dmp

    Filesize

    13.2MB

    Download

  • memory/1892-62-0x0000000000D40000-0x0000000001A74000-memory.dmp

    Filesize

    13.2MB

    Download

  • memory/1892-63-0x00000000057D0000-0x00000000057D1000-memory.dmp

    Filesize

    4KB

    Download