Resubmissions

17-02-2022 14:46

220217-r5dpmacedn 10

17-02-2022 07:27

220217-h98k5aaeg8 10

General

  • Target

    Vape V4.05.exe

  • Size

    13.9MB

  • Sample

    220217-h98k5aaeg8

  • MD5

    b26285219a7d20505e4a8628fe4092f2

  • SHA1

    9b0109eb2e0fd5a401820262fe9a8272600685b1

  • SHA256

    829e4cdc3b9823f5967f4d84c0a5f0e654e95760d09eb5de9c9ad91544dc9478

  • SHA512

    da09d8e018d77c5cd4d56afc03b4228fdf5a9dbca0294c41f2808a7f106ad118253b895db87f6f6461b11830401e07e304c92572a0678bdb390e5e9b67cbe7d3

Malware Config

Targets

    • Target

      Vape V4.05.exe

    • Size

      13.9MB

    • MD5

      b26285219a7d20505e4a8628fe4092f2

    • SHA1

      9b0109eb2e0fd5a401820262fe9a8272600685b1

    • SHA256

      829e4cdc3b9823f5967f4d84c0a5f0e654e95760d09eb5de9c9ad91544dc9478

    • SHA512

      da09d8e018d77c5cd4d56afc03b4228fdf5a9dbca0294c41f2808a7f106ad118253b895db87f6f6461b11830401e07e304c92572a0678bdb390e5e9b67cbe7d3

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • evasion

      evasion.

    • rl_trojan

      redline stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks