Analysis
-
max time kernel
76s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe
Resource
win10v2004-20220414-en
General
-
Target
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe
-
Size
2.1MB
-
MD5
1811f486ee61752b7bb204edc2a48ef4
-
SHA1
651fd2262b47f6ab409d21a72093e83bee1cb9cd
-
SHA256
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0
-
SHA512
519ceebc8118a953f6380ad05346ffcd1fb7ae6f9f0f6d68ec5ab8c8b3174bce81aef8011a572ea8d8dc7ac932b042a34879bc5fef5ba51f7b2d460073b8b19e
Malware Config
Extracted
redline
id19.04.20
185.248.102.232:5692
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1856-60-0x0000000001360000-0x0000000001B1E000-memory.dmp family_redline behavioral1/memory/1856-65-0x0000000001360000-0x0000000001B1E000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe -
Processes:
resource yara_rule behavioral1/memory/1856-58-0x0000000001360000-0x0000000001B1E000-memory.dmp themida behavioral1/memory/1856-60-0x0000000001360000-0x0000000001B1E000-memory.dmp themida behavioral1/memory/1856-65-0x0000000001360000-0x0000000001B1E000-memory.dmp themida -
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exepid process 1856 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 428 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exepid process 1856 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1856 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe Token: SeDebugPrivilege 428 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.execmd.exedescription pid process target process PID 1856 wrote to memory of 1400 1856 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe cmd.exe PID 1856 wrote to memory of 1400 1856 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe cmd.exe PID 1856 wrote to memory of 1400 1856 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe cmd.exe PID 1856 wrote to memory of 1400 1856 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe cmd.exe PID 1400 wrote to memory of 428 1400 cmd.exe taskkill.exe PID 1400 wrote to memory of 428 1400 cmd.exe taskkill.exe PID 1400 wrote to memory of 428 1400 cmd.exe taskkill.exe PID 1400 wrote to memory of 428 1400 cmd.exe taskkill.exe PID 1400 wrote to memory of 888 1400 cmd.exe choice.exe PID 1400 wrote to memory of 888 1400 cmd.exe choice.exe PID 1400 wrote to memory of 888 1400 cmd.exe choice.exe PID 1400 wrote to memory of 888 1400 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe"C:\Users\Admin\AppData\Local\Temp\b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1856 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 18563⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/428-63-0x0000000000000000-mapping.dmp
-
memory/888-64-0x0000000000000000-mapping.dmp
-
memory/1400-62-0x0000000000000000-mapping.dmp
-
memory/1856-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB
-
memory/1856-58-0x0000000001360000-0x0000000001B1E000-memory.dmpFilesize
7.7MB
-
memory/1856-59-0x00000000774A0000-0x0000000077620000-memory.dmpFilesize
1.5MB
-
memory/1856-60-0x0000000001360000-0x0000000001B1E000-memory.dmpFilesize
7.7MB
-
memory/1856-61-0x0000000001360000-0x0000000001B1E000-memory.dmpFilesize
7.7MB
-
memory/1856-65-0x0000000001360000-0x0000000001B1E000-memory.dmpFilesize
7.7MB
-
memory/1856-66-0x00000000774A0000-0x0000000077620000-memory.dmpFilesize
1.5MB