Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-06-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
84dor.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
84dor.exe
-
Size
2.9MB
-
MD5
b29748ca349b93e3a68ae9d74c8c112f
-
SHA1
25fcb59baef4fee8d333137cac54256692bcd0a5
-
SHA256
3df58f95673ea66a822fde408a33da67bd66344ece4839b66ec266d1b489e079
-
SHA512
ecc59e7394059b0330c5762687b2390040071e6ca3b2d3d21d13d43fe3b80bd051a5d94df91182b288bb474da6e899f5df4f25d0c2a8944cf9ab6570c9533266
Malware Config
Extracted
Family
redline
Botnet
cheat
C2
84.38.132.100:29934
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/548-58-0x00000000013C0000-0x0000000001B46000-memory.dmp family_redline behavioral1/memory/548-59-0x00000000013C0000-0x0000000001B46000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
84dor.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 84dor.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
84dor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 84dor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 84dor.exe -
Processes:
resource yara_rule behavioral1/memory/548-58-0x00000000013C0000-0x0000000001B46000-memory.dmp themida behavioral1/memory/548-59-0x00000000013C0000-0x0000000001B46000-memory.dmp themida -
Processes:
84dor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 84dor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
84dor.exepid process 548 84dor.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
84dor.exedescription pid process Token: SeDebugPrivilege 548 84dor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84dor.exe"C:\Users\Admin\AppData\Local\Temp\84dor.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/548-55-0x00000000013C0000-0x0000000001B46000-memory.dmpFilesize
7.5MB
-
memory/548-58-0x00000000013C0000-0x0000000001B46000-memory.dmpFilesize
7.5MB
-
memory/548-59-0x00000000013C0000-0x0000000001B46000-memory.dmpFilesize
7.5MB
-
memory/548-60-0x0000000077BE0000-0x0000000077D60000-memory.dmpFilesize
1.5MB
-
memory/548-61-0x00000000013C0000-0x0000000001B46000-memory.dmpFilesize
7.5MB
-
memory/548-62-0x0000000077BE0000-0x0000000077D60000-memory.dmpFilesize
1.5MB