Overview

overview

10

Static

static

7

562497367b...d0.exe

windows7-x64

10

562497367b...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe

  • Size

    2.9MB

  • MD5

    63668401a2060becb1b30dd29a3e5902

  • SHA1

    dbc2b76ffefad19270bcf27211332445f06c051f

  • SHA256

    562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0

  • SHA512

    172ea86dd06e1ab54097ca495adead976504fc02a477de8ffa3b7a7fd4a8311210405db0cec3724ac71c9f1e59bb2a89f53669a96f3ad059f75af11c49bb715c

Score
10/10
redlineevasioninfostealerthemidatrojan

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe
    "C:\Users\Admin\AppData\Local\Temp\562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1652

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1652-130-0x00000000002C0000-0x0000000000956000-memory.dmp
    Filesize

    6.6MB

    Download
  • memory/1652-133-0x00000000002C0000-0x0000000000956000-memory.dmp
    Filesize

    6.6MB

    Download
  • memory/1652-134-0x00000000776D0000-0x0000000077873000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1652-135-0x0000000005FB0000-0x00000000065C8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1652-136-0x0000000005800000-0x0000000005812000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1652-137-0x0000000005990000-0x0000000005A9A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1652-138-0x0000000005860000-0x000000000589C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1652-139-0x00000000002C0000-0x0000000000956000-memory.dmp
    Filesize

    6.6MB

    Download
  • memory/1652-140-0x00000000776D0000-0x0000000077873000-memory.dmp
    Filesize

    1.6MB

    Download