Overview

overview

10

Static

static

5

186b2ec074...8b.exe

windows7_x64

10

186b2ec074...8b.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b

  • Size

    4.0MB

  • Sample

    220524-c57v5scgf9

  • MD5

    c6f561d1133de9edf4e61f564c0033da

  • SHA1

    6a08a99a7fb0efa14b99b2a3d48c08114e3fa666

  • SHA256

    186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b

  • SHA512

    e32b0c556aad858522602a006a35c0a6b46d3db80a60c472afd5f714b3df098047c8c2b1c6f28b630eb537c07eb917ba8be42d3cfbfde01a6b3015e9faf224ab

Score
10/10
redlineid19.04.20evasioninfostealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

id19.04.20

C2

185.248.102.232:5692

Targets

    • Target

      186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b

    • Size

      4.0MB

    • MD5

      c6f561d1133de9edf4e61f564c0033da

    • SHA1

      6a08a99a7fb0efa14b99b2a3d48c08114e3fa666

    • SHA256

      186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b

    • SHA512

      e32b0c556aad858522602a006a35c0a6b46d3db80a60c472afd5f714b3df098047c8c2b1c6f28b630eb537c07eb917ba8be42d3cfbfde01a6b3015e9faf224ab

    Score
    10/10
    redlineid19.04.20evasioninfostealerthemidatrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks