Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-01-2023 10:13
Static task
static1
Behavioral task
behavioral1
Sample
Installer.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Installer.exe
Resource
win10v2004-20220901-en
General
-
Target
Installer.exe
-
Size
2.2MB
-
MD5
7f4e95b1c70c25c9b0954aab4d81b71a
-
SHA1
b508c5615884e687d346f8419251017b75e6e344
-
SHA256
b0d2e2e336fa7f582365371bfce4adda6ddcba26a45c8747d8d0f8c7d45e2007
-
SHA512
fcd66fa6598f4c061833def0f3645de29bdf8279e9e66917825667fd33f76705144dd76106411267c4681e6d223a6d5c9f96a1c665b209b2ff38c48608c95285
-
SSDEEP
24576:uwADqHUdg/oRHawXbFkzJIRPciYafr8sQi3vIOZTF2yGgqMxVlojQn7SCtCwxIzE:2Gr/ULBHLbH
Malware Config
Extracted
redline
@UncleTravis
45.15.156.155:80
-
auth_value
b896f4c4d2610586a8f6e7ead9c5ec7f
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Installer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Installer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Installer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
Installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Installer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Installer.exedescription pid process target process PID 1244 set thread context of 2020 1244 Installer.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 2020 AppLaunch.exe 2020 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2020 AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Installer.exedescription pid process target process PID 1244 wrote to memory of 2020 1244 Installer.exe AppLaunch.exe PID 1244 wrote to memory of 2020 1244 Installer.exe AppLaunch.exe PID 1244 wrote to memory of 2020 1244 Installer.exe AppLaunch.exe PID 1244 wrote to memory of 2020 1244 Installer.exe AppLaunch.exe PID 1244 wrote to memory of 2020 1244 Installer.exe AppLaunch.exe PID 1244 wrote to memory of 2020 1244 Installer.exe AppLaunch.exe PID 1244 wrote to memory of 2020 1244 Installer.exe AppLaunch.exe PID 1244 wrote to memory of 2020 1244 Installer.exe AppLaunch.exe PID 1244 wrote to memory of 2020 1244 Installer.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1244-54-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1244-55-0x0000000000BE1000-0x0000000000BE3000-memory.dmpFilesize
8KB
-
memory/2020-56-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2020-58-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2020-63-0x000000000041B656-mapping.dmp
-
memory/2020-64-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2020-65-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB