Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2023, 03:06
General
-
Target
build.exe
-
Size
7.1MB
-
MD5
5cd90568bf2a538daf7bfc44b10dd62f
-
SHA1
31a5b2fde42676bc48a4ffe6d5aaa944289bcb07
-
SHA256
38c92127fdd9f81e44c55a6e0ec72c3c8f2d04d8ba18fcacb068e815027d7328
-
SHA512
f3956fb48bfc2d0be13daf5281991a97cb3c77844f68232d994c30b94336d08575ea85159bd2fbdea35e2ac82928fdf73fd85cb790aee45c260980575bb38c5b
-
SSDEEP
98304:GB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:7cUG4raKu24YY7HVT4hV0AD6QgqKRgX
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/924-133-0x00000000000A0000-0x00000000007BA000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ build.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion build.exe -
Loads dropped DLL 1 IoCs
pid Process 924 build.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/924-133-0x00000000000A0000-0x00000000007BA000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x00010000000230dd-138.dat themida behavioral1/files/0x00010000000230dd-140.dat themida behavioral1/memory/924-142-0x00000000725D0000-0x0000000072D55000-memory.dmp themida behavioral1/memory/924-144-0x00000000725D0000-0x0000000072D55000-memory.dmp themida behavioral1/memory/924-145-0x00000000725D0000-0x0000000072D55000-memory.dmp themida behavioral1/memory/924-151-0x00000000725D0000-0x0000000072D55000-memory.dmp themida behavioral1/memory/924-311-0x00000000725D0000-0x0000000072D55000-memory.dmp themida behavioral1/memory/924-312-0x00000000725D0000-0x0000000072D55000-memory.dmp themida behavioral1/memory/924-314-0x00000000725D0000-0x0000000072D55000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA build.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 924 build.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 924 build.exe 924 build.exe 924 build.exe 924 build.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 924 build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD51e275530f75ec0222ad0a49117819936
SHA1c469db9377442dc65d1c4c6cc5985b28cb1c26e2
SHA256d8519a2a1f40baeb1ee2e6eb1aca27745e5dcab7c046d65b27246e24af57d2bb
SHA51276af1a2193a3b4dc6adc31c9d160b368c6d1a6368af1e99065b53c01cd1c6a93533167a570e6ea68959eeb06b24664f182ad7eef5d7f1ecbfc4cd55e83a72061
-
Filesize
2.8MB
MD51e275530f75ec0222ad0a49117819936
SHA1c469db9377442dc65d1c4c6cc5985b28cb1c26e2
SHA256d8519a2a1f40baeb1ee2e6eb1aca27745e5dcab7c046d65b27246e24af57d2bb
SHA51276af1a2193a3b4dc6adc31c9d160b368c6d1a6368af1e99065b53c01cd1c6a93533167a570e6ea68959eeb06b24664f182ad7eef5d7f1ecbfc4cd55e83a72061
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD54b92e3c4a1139598503c9cc15d2fa234
SHA119fbb79791259d91b4e80d7a5e73ecb53c47f613
SHA256bb235273f1befffb33c931732d2a2ead6f2b7356eee66cfa2288a48e9b51eb56
SHA5126129e7a17a2fb1056b62a4484220b7e35006aacdad7e5bcd4f74b43f8b9bf9ac535b43165af9ff1fb69d61f13fcb6a6a0879b78322b48dfb2dde1abe4877d6e8
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
112KB
MD5780853cddeaee8de70f28a4b255a600b
SHA1ad7a5da33f7ad12946153c497e990720b09005ed
SHA2561055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8
-
Filesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77