Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-06-2022 14:42
Static task
static1
Behavioral task
behavioral1
Sample
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe
Resource
win10v2004-20220414-en
General
-
Target
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe
-
Size
2.9MB
-
MD5
c9480f159f75bcac7884e27751b0447a
-
SHA1
4d253e87f294b23b205753f7aa900b5c853d08c1
-
SHA256
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0
-
SHA512
dc3b1728bc036f5b37910ef31b6e5d7ea0fffeba326dfa4e4bb6f90172bb1bea90f76c07bb098ed9e8da5c23393484b9bfd25d2900d1c9343fe591d02d3c3404
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1040-59-0x00000000010E0000-0x0000000001808000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe -
Processes:
resource yara_rule behavioral1/memory/1040-59-0x00000000010E0000-0x0000000001808000-memory.dmp themida -
Processes:
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exepid process 1040 2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exepid process 1040 2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe"C:\Users\Admin\AppData\Local\Temp\2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-54-0x0000000076811000-0x0000000076813000-memory.dmpFilesize
8KB
-
memory/1040-55-0x00000000010E0000-0x0000000001808000-memory.dmpFilesize
7.2MB
-
memory/1040-58-0x0000000077860000-0x00000000779E0000-memory.dmpFilesize
1.5MB
-
memory/1040-59-0x00000000010E0000-0x0000000001808000-memory.dmpFilesize
7.2MB