Analysis
-
max time kernel
140s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
84dor.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
84dor.exe
-
Size
2.9MB
-
MD5
b29748ca349b93e3a68ae9d74c8c112f
-
SHA1
25fcb59baef4fee8d333137cac54256692bcd0a5
-
SHA256
3df58f95673ea66a822fde408a33da67bd66344ece4839b66ec266d1b489e079
-
SHA512
ecc59e7394059b0330c5762687b2390040071e6ca3b2d3d21d13d43fe3b80bd051a5d94df91182b288bb474da6e899f5df4f25d0c2a8944cf9ab6570c9533266
Malware Config
Extracted
Family
redline
Botnet
cheat
C2
84.38.132.100:29934
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3316-134-0x00000000000B0000-0x0000000000836000-memory.dmp family_redline behavioral2/memory/3316-135-0x00000000000B0000-0x0000000000836000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
84dor.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 84dor.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
84dor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 84dor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 84dor.exe -
Processes:
resource yara_rule behavioral2/memory/3316-134-0x00000000000B0000-0x0000000000836000-memory.dmp themida behavioral2/memory/3316-135-0x00000000000B0000-0x0000000000836000-memory.dmp themida -
Processes:
84dor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 84dor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
84dor.exepid process 3316 84dor.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
84dor.exedescription pid process Token: SeDebugPrivilege 3316 84dor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84dor.exe"C:\Users\Admin\AppData\Local\Temp\84dor.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3316-130-0x00000000000B0000-0x0000000000836000-memory.dmpFilesize
7.5MB
-
memory/3316-131-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/3316-134-0x00000000000B0000-0x0000000000836000-memory.dmpFilesize
7.5MB
-
memory/3316-135-0x00000000000B0000-0x0000000000836000-memory.dmpFilesize
7.5MB
-
memory/3316-136-0x0000000005EE0000-0x00000000064F8000-memory.dmpFilesize
6.1MB
-
memory/3316-137-0x00000000058C0000-0x00000000058D2000-memory.dmpFilesize
72KB
-
memory/3316-138-0x0000000005920000-0x000000000595C000-memory.dmpFilesize
240KB
-
memory/3316-139-0x0000000005BB0000-0x0000000005CBA000-memory.dmpFilesize
1.0MB
-
memory/3316-140-0x00000000000B0000-0x0000000000836000-memory.dmpFilesize
7.5MB
-
memory/3316-141-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB