redline | 186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b

General

Target

186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe
Size

4.0MB
MD5

c6f561d1133de9edf4e61f564c0033da
SHA1

6a08a99a7fb0efa14b99b2a3d48c08114e3fa666
SHA256

186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b
SHA512

e32b0c556aad858522602a006a35c0a6b46d3db80a60c472afd5f714b3df098047c8c2b1c6f28b630eb537c07eb917ba8be42d3cfbfde01a6b3015e9faf224ab

Score

10^/10

redline id19.04.20 evasion infostealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

id19.04.20

C2

185.248.102.232:5692

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2244-141-0x0000000000210000-0x00000000009CE000-memory.dmp	family_redline
behavioral2/memory/2244-142-0x0000000000210000-0x00000000009CE000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

gameApp.exe

pid process

2244 gameApp.exe

pid	process
2244	gameApp.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gameApp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gameApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gameApp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe

Drops startup file 1 IoCs

Processes:

186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\newdev.url	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gameApp.exe	themida
C:\Users\Admin\AppData\Local\Temp\gameApp.exe	themida
behavioral2/memory/2244-141-0x0000000000210000-0x00000000009CE000-memory.dmp	themida
behavioral2/memory/2244-142-0x0000000000210000-0x00000000009CE000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

gameApp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gameApp.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

gameApp.exe

pid process

2244 gameApp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gameApp.exe

pid	process
2244	gameApp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe

description	pid	process	target process
PID 3096 set thread context of 2448	3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1576 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

gameApp.exe

pid process

2244 gameApp.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe

pid process

3096 186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gameApp.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2244 gameApp.exe
Token: SeDebugPrivilege 1576 taskkill.exe

pid	process
1576	taskkill.exe

pid	process
2244	gameApp.exe

description	pid	process
Token: SeDebugPrivilege	2244	gameApp.exe
Token: SeDebugPrivilege	1576	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe

pid	process
3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe
3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe
3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe
3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe

pid	process
3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe
3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe
3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe
3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exegameApp.execmd.exe

description	pid	process	target process
PID 3096 wrote to memory of 2244	3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe	gameApp.exe
PID 3096 wrote to memory of 2244	3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe	gameApp.exe
PID 3096 wrote to memory of 2244	3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe	gameApp.exe
PID 3096 wrote to memory of 2448	3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe	MSBuild.exe
PID 3096 wrote to memory of 2448	3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe	MSBuild.exe
PID 3096 wrote to memory of 2448	3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe	MSBuild.exe
PID 3096 wrote to memory of 2448	3096	186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe	MSBuild.exe
PID 2244 wrote to memory of 1724	2244	gameApp.exe	cmd.exe
PID 2244 wrote to memory of 1724	2244	gameApp.exe	cmd.exe
PID 2244 wrote to memory of 1724	2244	gameApp.exe	cmd.exe
PID 1724 wrote to memory of 1576	1724	cmd.exe	taskkill.exe
PID 1724 wrote to memory of 1576	1724	cmd.exe	taskkill.exe
PID 1724 wrote to memory of 1576	1724	cmd.exe	taskkill.exe
PID 1724 wrote to memory of 3976	1724	cmd.exe	choice.exe
PID 1724 wrote to memory of 3976	1724	cmd.exe	choice.exe
PID 1724 wrote to memory of 3976	1724	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe
"C:\Users\Admin\AppData\Local\Temp\186b2ec0748147cb799008263e8609221eb4cc0ff0b68dbb314a06b752fd388b.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\gameApp.exe
"C:\Users\Admin\AppData\Local\Temp\gameApp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 2244 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\gameApp.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2244
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
PID:2448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gameApp.exe
Filesize
2.1MB

MD5
1811f486ee61752b7bb204edc2a48ef4

SHA1
651fd2262b47f6ab409d21a72093e83bee1cb9cd

SHA256
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0

SHA512
519ceebc8118a953f6380ad05346ffcd1fb7ae6f9f0f6d68ec5ab8c8b3174bce81aef8011a572ea8d8dc7ac932b042a34879bc5fef5ba51f7b2d460073b8b19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gameApp.exe
Filesize
2.1MB

MD5
1811f486ee61752b7bb204edc2a48ef4

SHA1
651fd2262b47f6ab409d21a72093e83bee1cb9cd

SHA256
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0

SHA512
519ceebc8118a953f6380ad05346ffcd1fb7ae6f9f0f6d68ec5ab8c8b3174bce81aef8011a572ea8d8dc7ac932b042a34879bc5fef5ba51f7b2d460073b8b19e

Download Submit
memory/1576-152-0x0000000000000000-mapping.dmp

Download
memory/1724-151-0x0000000000000000-mapping.dmp

Download
memory/2244-137-0x0000000077800000-0x00000000779A3000-memory.dmp

Filesize
1.6MB

Download
memory/2244-130-0x0000000000000000-mapping.dmp

Download
memory/2244-147-0x00000000063E0000-0x00000000069F8000-memory.dmp

Filesize
6.1MB

Download
memory/2244-150-0x00000000060B0000-0x00000000061BA000-memory.dmp

Filesize
1.0MB

Download
memory/2244-141-0x0000000000210000-0x00000000009CE000-memory.dmp

Filesize
7.7MB

Download
memory/2244-142-0x0000000000210000-0x00000000009CE000-memory.dmp

Filesize
7.7MB

Download
memory/2244-149-0x0000000005EB0000-0x0000000005EEC000-memory.dmp

Filesize
240KB

Download
memory/2244-148-0x0000000005E50000-0x0000000005E62000-memory.dmp

Filesize
72KB

Download
memory/2244-145-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/2448-138-0x0000000000000000-mapping.dmp

Download
memory/2448-146-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download
memory/2448-144-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/2448-143-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/2448-140-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3096-139-0x00000000036C0000-0x00000000036C8000-memory.dmp

Filesize
32KB

Download
memory/3096-133-0x00000000036B0000-0x00000000036B8000-memory.dmp

Filesize
32KB

Download
memory/3976-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads