Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2022 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    361KB

  • MD5

    d84842f7912d62c8e9f44c8a11cb3cc0

  • SHA1

    2e42c24f7e4b5917664621deea56a2646497a3ce

  • SHA256

    c31382b24d3f3ed0cf2873aeb3bc2510ca7869a1ff64a55b48ccf8a7145b9493

  • SHA512

    772f9e6cf0dd5970c58212fddfb2e214582472ee21a28855700bec714d71b07d8ab66a7ef681b1b6b3c35958b76be01f6bb110d9b0a9c5b716a6a6f82defb4cd

  • SSDEEP

    6144:LoKpw8+J7IA2IWkKUpJFEtNDqO1fa5maeB7QtG9Pvn277hnlTpYGIrQ2+gFlA:Ly7oIWwpAb7i5maeB7QtG9Pvn277hnl/

Score
10/10
redline4discoveryevasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

4

C2

79.110.62.196:26277

Attributes
  • auth_value

    e48cb0b64e920bb1a534eba5b2912707

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Users\Admin\AppData\Local\Temp\Updater.exe
      "C:\Users\Admin\AppData\Local\Temp\Updater.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Windows\SysWOW64\schtasks.exe
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
        3⤵
        • Creates scheduled task(s)
        PID:4168
  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Updater.exe
    Filesize

    2.8MB

    MD5

    ecfae3cc8a7ba2e4681a378864658af6

    SHA1

    a84beb327be022f600aed467c2029b4301756dca

    SHA256

    20239b724322bdef1aa4adbdfaa03a90d1f18a5b3b8bcfb16dec10a5823ac0fd

    SHA512

    33ce30cdcfb7b86cdd86e3f9ba7ff97ea168001eca76e0c05f14555a25ce200f2e661b03e8ab762b4a9330bfd794b6366912768a4cce7f88c60c9a2a5717abda

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Updater.exe
    Filesize

    2.8MB

    MD5

    ecfae3cc8a7ba2e4681a378864658af6

    SHA1

    a84beb327be022f600aed467c2029b4301756dca

    SHA256

    20239b724322bdef1aa4adbdfaa03a90d1f18a5b3b8bcfb16dec10a5823ac0fd

    SHA512

    33ce30cdcfb7b86cdd86e3f9ba7ff97ea168001eca76e0c05f14555a25ce200f2e661b03e8ab762b4a9330bfd794b6366912768a4cce7f88c60c9a2a5717abda

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    Filesize

    2.8MB

    MD5

    ecfae3cc8a7ba2e4681a378864658af6

    SHA1

    a84beb327be022f600aed467c2029b4301756dca

    SHA256

    20239b724322bdef1aa4adbdfaa03a90d1f18a5b3b8bcfb16dec10a5823ac0fd

    SHA512

    33ce30cdcfb7b86cdd86e3f9ba7ff97ea168001eca76e0c05f14555a25ce200f2e661b03e8ab762b4a9330bfd794b6366912768a4cce7f88c60c9a2a5717abda

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    Filesize

    2.8MB

    MD5

    ecfae3cc8a7ba2e4681a378864658af6

    SHA1

    a84beb327be022f600aed467c2029b4301756dca

    SHA256

    20239b724322bdef1aa4adbdfaa03a90d1f18a5b3b8bcfb16dec10a5823ac0fd

    SHA512

    33ce30cdcfb7b86cdd86e3f9ba7ff97ea168001eca76e0c05f14555a25ce200f2e661b03e8ab762b4a9330bfd794b6366912768a4cce7f88c60c9a2a5717abda

    Download Submit
  • memory/2776-154-0x0000000000EC0000-0x000000000137C000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/2776-160-0x0000000000EC0000-0x000000000137C000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/2776-159-0x0000000077520000-0x00000000776C3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2776-158-0x0000000000EC0000-0x000000000137C000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/2776-157-0x0000000000EC0000-0x000000000137C000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/2776-155-0x0000000077520000-0x00000000776C3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3468-142-0x000000000C5D0000-0x000000000C792000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3468-133-0x000000000B180000-0x000000000B798000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3468-137-0x000000000AFB0000-0x000000000B042000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3468-135-0x000000000AC10000-0x000000000AC22000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3468-134-0x000000000ACE0000-0x000000000ADEA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3468-143-0x000000000CCD0000-0x000000000D1FC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3468-138-0x000000000BD50000-0x000000000C2F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3468-141-0x000000000BCB0000-0x000000000BD00000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3468-139-0x000000000B7A0000-0x000000000B806000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3468-140-0x000000000BC30000-0x000000000BCA6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3468-136-0x000000000AC70000-0x000000000ACAC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3468-132-0x0000000000AD0000-0x0000000000B30000-memory.dmp
    Filesize

    384KB

    Download
  • memory/4168-149-0x0000000000000000-mapping.dmp
    Download
  • memory/4332-156-0x0000000000000000-mapping.dmp
    Download
  • memory/4392-147-0x0000000000FD0000-0x000000000148C000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/4392-151-0x0000000077520000-0x00000000776C3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4392-150-0x0000000000FD0000-0x000000000148C000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/4392-148-0x0000000077520000-0x00000000776C3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4392-144-0x0000000000000000-mapping.dmp
    Download