Analysis
-
max time kernel
91s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 11:06
Static task
static1
Behavioral task
behavioral1
Sample
b613c33ea1ca7d21c3114f5013964dbb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b613c33ea1ca7d21c3114f5013964dbb.exe
Resource
win10v2004-20221111-en
General
-
Target
b613c33ea1ca7d21c3114f5013964dbb.exe
-
Size
2.2MB
-
MD5
b613c33ea1ca7d21c3114f5013964dbb
-
SHA1
c54011895b450afdd90216f845afb28fd86dbb7a
-
SHA256
dcf4a9e709b5f1dd912e2455dfeb7267548c5f0597b92d2fd67b8d7cba097377
-
SHA512
b35364305b98ddb89f6f78ef438369409a853944bf0bdb8594a58d03fc7336b2e68e77e2cdd4d14d8fba94810fb2653b230987d8aff7d84ebd7fba8aabb631fa
-
SSDEEP
24576:KTXEPcN5JzQAMsJKStXO7sLeNVrMrtxZC1c6sDkFWE+QQdOvV/J0lDAdsBlwOxXD:gVVO7keNWuahOORJ/
Malware Config
Extracted
redline
95.217.146.176:4283
-
auth_value
a909e2aaecf96137978fea4f86400b9b
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
b613c33ea1ca7d21c3114f5013964dbb.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b613c33ea1ca7d21c3114f5013964dbb.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b613c33ea1ca7d21c3114f5013964dbb.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b613c33ea1ca7d21c3114f5013964dbb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b613c33ea1ca7d21c3114f5013964dbb.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
b613c33ea1ca7d21c3114f5013964dbb.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b613c33ea1ca7d21c3114f5013964dbb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b613c33ea1ca7d21c3114f5013964dbb.exedescription pid process target process PID 780 set thread context of 1056 780 b613c33ea1ca7d21c3114f5013964dbb.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 1056 AppLaunch.exe 1056 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 1056 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
b613c33ea1ca7d21c3114f5013964dbb.exedescription pid process target process PID 780 wrote to memory of 1056 780 b613c33ea1ca7d21c3114f5013964dbb.exe AppLaunch.exe PID 780 wrote to memory of 1056 780 b613c33ea1ca7d21c3114f5013964dbb.exe AppLaunch.exe PID 780 wrote to memory of 1056 780 b613c33ea1ca7d21c3114f5013964dbb.exe AppLaunch.exe PID 780 wrote to memory of 1056 780 b613c33ea1ca7d21c3114f5013964dbb.exe AppLaunch.exe PID 780 wrote to memory of 1056 780 b613c33ea1ca7d21c3114f5013964dbb.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b613c33ea1ca7d21c3114f5013964dbb.exe"C:\Users\Admin\AppData\Local\Temp\b613c33ea1ca7d21c3114f5013964dbb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-132-0x0000000000611000-0x0000000000613000-memory.dmpFilesize
8KB
-
memory/1056-133-0x0000000000000000-mapping.dmp
-
memory/1056-134-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1056-139-0x0000000005A80000-0x0000000006098000-memory.dmpFilesize
6.1MB
-
memory/1056-140-0x0000000005600000-0x000000000570A000-memory.dmpFilesize
1.0MB
-
memory/1056-141-0x0000000005530000-0x0000000005542000-memory.dmpFilesize
72KB
-
memory/1056-142-0x00000000055A0000-0x00000000055DC000-memory.dmpFilesize
240KB
-
memory/1056-143-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/1056-144-0x0000000006960000-0x0000000006F04000-memory.dmpFilesize
5.6MB
-
memory/1056-145-0x0000000006490000-0x0000000006522000-memory.dmpFilesize
584KB
-
memory/1056-146-0x0000000006F10000-0x00000000070D2000-memory.dmpFilesize
1.8MB
-
memory/1056-147-0x0000000007610000-0x0000000007B3C000-memory.dmpFilesize
5.2MB