Analysis
-
max time kernel
171s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe
Resource
win10v2004-20220414-en
General
-
Target
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe
-
Size
2.1MB
-
MD5
1811f486ee61752b7bb204edc2a48ef4
-
SHA1
651fd2262b47f6ab409d21a72093e83bee1cb9cd
-
SHA256
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0
-
SHA512
519ceebc8118a953f6380ad05346ffcd1fb7ae6f9f0f6d68ec5ab8c8b3174bce81aef8011a572ea8d8dc7ac932b042a34879bc5fef5ba51f7b2d460073b8b19e
Malware Config
Extracted
redline
id19.04.20
185.248.102.232:5692
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/656-135-0x0000000000270000-0x0000000000A2E000-memory.dmp family_redline behavioral2/memory/656-145-0x0000000000270000-0x0000000000A2E000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe -
Processes:
resource yara_rule behavioral2/memory/656-135-0x0000000000270000-0x0000000000A2E000-memory.dmp themida behavioral2/memory/656-145-0x0000000000270000-0x0000000000A2E000-memory.dmp themida -
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exepid process 656 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4356 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exepid process 656 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exetaskkill.exedescription pid process Token: SeDebugPrivilege 656 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe Token: SeDebugPrivilege 4356 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.execmd.exedescription pid process target process PID 656 wrote to memory of 3464 656 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe cmd.exe PID 656 wrote to memory of 3464 656 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe cmd.exe PID 656 wrote to memory of 3464 656 b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe cmd.exe PID 3464 wrote to memory of 4356 3464 cmd.exe taskkill.exe PID 3464 wrote to memory of 4356 3464 cmd.exe taskkill.exe PID 3464 wrote to memory of 4356 3464 cmd.exe taskkill.exe PID 3464 wrote to memory of 4304 3464 cmd.exe choice.exe PID 3464 wrote to memory of 4304 3464 cmd.exe choice.exe PID 3464 wrote to memory of 4304 3464 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe"C:\Users\Admin\AppData\Local\Temp\b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 656 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\b2008c255a7ec096e323066f647c9c218656a6c2e5c2e1189b58a45048dca4a0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 6563⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/656-139-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/656-141-0x0000000005B80000-0x0000000005BBC000-memory.dmpFilesize
240KB
-
memory/656-135-0x0000000000270000-0x0000000000A2E000-memory.dmpFilesize
7.7MB
-
memory/656-136-0x0000000005680000-0x00000000056E6000-memory.dmpFilesize
408KB
-
memory/656-137-0x0000000006090000-0x00000000066A8000-memory.dmpFilesize
6.1MB
-
memory/656-138-0x0000000000270000-0x0000000000A2E000-memory.dmpFilesize
7.7MB
-
memory/656-134-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/656-140-0x0000000005B20000-0x0000000005B32000-memory.dmpFilesize
72KB
-
memory/656-130-0x0000000000270000-0x0000000000A2E000-memory.dmpFilesize
7.7MB
-
memory/656-142-0x0000000005D80000-0x0000000005E8A000-memory.dmpFilesize
1.0MB
-
memory/656-146-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/656-145-0x0000000000270000-0x0000000000A2E000-memory.dmpFilesize
7.7MB
-
memory/3464-143-0x0000000000000000-mapping.dmp
-
memory/4304-147-0x0000000000000000-mapping.dmp
-
memory/4356-144-0x0000000000000000-mapping.dmp