Overview

overview

10

Static

static

7

9b06361b48...d9.exe

windows7-x64

10

9b06361b48...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2023 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b06361b484531e8d71b64fbb32534d9.exe

  • Size

    2.3MB

  • MD5

    9b06361b484531e8d71b64fbb32534d9

  • SHA1

    6c47e8bfaf1b82c57c861312f1fe130cc5e21c96

  • SHA256

    753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd

  • SHA512

    dd9ab0d96801bdc8e541c60f0cb23f8c5089f8cefd4fa9041dae5d6d7e393f27ff25cc445117e3804f235fabce0fd2ae80d284463ef2278da5afb6a81f285bbb

  • SSDEEP

    49152:SgUFBrKkyuD7ug6e1NsUfgvig28JUU1y4unHZ1IxLRoV:eJK1umgBUU+n28uUMxHXIh6

Score
10/10
redline150723_rc_11evasioninfostealerspywarethemidatrojan

Malware Config

Extracted

Family

redline

Botnet

150723_rc_11

C2

rcam15.tuktuk.ug:11290

Attributes
  • auth_value

    0b3645317afbcac212f68853bb45b46d

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b06361b484531e8d71b64fbb32534d9.exe
    "C:\Users\Admin\AppData\Local\Temp\9b06361b484531e8d71b64fbb32534d9.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2280-85-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-59-0x0000000075800000-0x0000000075910000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2280-58-0x0000000075510000-0x0000000075557000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2280-83-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-60-0x0000000075800000-0x0000000075910000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2280-61-0x0000000075510000-0x0000000075557000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2280-62-0x00000000772E0000-0x00000000772E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2280-63-0x0000000000EB0000-0x000000000146A000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2280-64-0x0000000000EB0000-0x000000000146A000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2280-66-0x0000000075510000-0x0000000075557000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2280-68-0x0000000075800000-0x0000000075910000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2280-67-0x0000000075800000-0x0000000075910000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2280-69-0x0000000000350000-0x000000000036C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2280-70-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-71-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-89-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-75-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-77-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-81-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-79-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-54-0x0000000000EB0000-0x000000000146A000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2280-57-0x0000000075800000-0x0000000075910000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2280-73-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-87-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-93-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-91-0x0000000000350000-0x0000000000365000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2280-107-0x0000000000EB0000-0x000000000146A000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2280-106-0x0000000075510000-0x0000000075557000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2280-105-0x0000000075800000-0x0000000075910000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2972-94-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2972-95-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2972-99-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2972-101-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2972-103-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2972-97-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2972-98-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2972-96-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2972-110-0x0000000000D30000-0x0000000000D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2972-109-0x0000000073F00000-0x00000000745EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2972-108-0x0000000000310000-0x0000000000316000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2972-111-0x0000000073F00000-0x00000000745EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2972-112-0x0000000000D30000-0x0000000000D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2972-113-0x0000000073F00000-0x00000000745EE000-memory.dmp

    Filesize

    6.9MB

    Download