redline | e42c3e841ee2520f38449522ec9d65b1bea1f3b132f0a0f4a5d35e139cbfb54a

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-01-2023 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

2.2MB
MD5

7f4e95b1c70c25c9b0954aab4d81b71a
SHA1

b508c5615884e687d346f8419251017b75e6e344
SHA256

b0d2e2e336fa7f582365371bfce4adda6ddcba26a45c8747d8d0f8c7d45e2007
SHA512

fcd66fa6598f4c061833def0f3645de29bdf8279e9e66917825667fd33f76705144dd76106411267c4681e6d223a6d5c9f96a1c665b209b2ff38c48608c95285
SSDEEP

24576:uwADqHUdg/oRHawXbFkzJIRPciYafr8sQi3vIOZTF2yGgqMxVlojQn7SCtCwxIzE:2Gr/ULBHLbH

Score

10^/10

redline @uncletravis evasion infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

@UncleTravis

45.15.156.155:80

Attributes

auth_value
b896f4c4d2610586a8f6e7ead9c5ec7f

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Installer.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Installer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Installer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Installer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Installer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Installer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Installer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Installer.exe

description pid process target process

PID 1244 set thread context of 2020 1244 Installer.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2020 AppLaunch.exe
2020 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2020 AppLaunch.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Installer.exe

description	pid	process	target process
PID 1244 set thread context of 2020	1244	Installer.exe	AppLaunch.exe

pid	process
2020	AppLaunch.exe
2020	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2020	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Installer.exe

description	pid	process	target process
PID 1244 wrote to memory of 2020	1244	Installer.exe	AppLaunch.exe
PID 1244 wrote to memory of 2020	1244	Installer.exe	AppLaunch.exe
PID 1244 wrote to memory of 2020	1244	Installer.exe	AppLaunch.exe
PID 1244 wrote to memory of 2020	1244	Installer.exe	AppLaunch.exe
PID 1244 wrote to memory of 2020	1244	Installer.exe	AppLaunch.exe
PID 1244 wrote to memory of 2020	1244	Installer.exe	AppLaunch.exe
PID 1244 wrote to memory of 2020	1244	Installer.exe	AppLaunch.exe
PID 1244 wrote to memory of 2020	1244	Installer.exe	AppLaunch.exe
PID 1244 wrote to memory of 2020	1244	Installer.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1244-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1244-55-0x0000000000BE1000-0x0000000000BE3000-memory.dmp

Filesize
8KB

Download
memory/2020-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2020-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2020-63-0x000000000041B656-mapping.dmp

Download
memory/2020-64-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2020-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download