redline | f36b1f58aebb51a74d55b774fb51849fb1668ef7c9915ac6da56d7d43fbf6782

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01/10/2023, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbcd0bd3d290667882c1ab2dba469f61.exe
Size

3.2MB
MD5

dbcd0bd3d290667882c1ab2dba469f61
SHA1

6a8392b6cc84d5fe11eebe5c7608017aec5fcdfc
SHA256

f36b1f58aebb51a74d55b774fb51849fb1668ef7c9915ac6da56d7d43fbf6782
SHA512

ee4185b58b124129d31f93e4c5152b236a4ab6ca1c340a6d09f200eba653f4a9908096fb72e241a1e38ff67bf71aae3e500490c1a798c44e55ac5d4d843fd83d
SSDEEP

49152:DOpya1VuZQol8eADmnYviG3yqpuhhofJr37Qtcb7KD1licT6HQMb:Cpya1Vw2eADpvbyqpyhofpCcbSnIQ

Score

10^/10

redline seevpalpadin-930 evasion infostealer spyware themida trojan

Malware Config

Extracted

Family

redline

Botnet

seevpalpadin-930

38.181.25.43:3325

Attributes

auth_value
e6927db74f64e90a4b02f736972d9d7c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dbcd0bd3d290667882c1ab2dba469f61.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dbcd0bd3d290667882c1ab2dba469f61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dbcd0bd3d290667882c1ab2dba469f61.exe

Loads dropped DLL 1 IoCs

pid	Process
2936	dbcd0bd3d290667882c1ab2dba469f61.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2936-18-0x0000000000CA0000-0x000000000134A000-memory.dmp	themida
behavioral1/memory/2936-58-0x0000000000CA0000-0x000000000134A000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd0bd3d290667882c1ab2dba469f61.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2936	dbcd0bd3d290667882c1ab2dba469f61.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2936 set thread context of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2936	dbcd0bd3d290667882c1ab2dba469f61.exe
2620	AppLaunch.exe
2620	AppLaunch.exe
2620	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	AppLaunch.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28
PID 2936 wrote to memory of 2620	2936	dbcd0bd3d290667882c1ab2dba469f61.exe	28

C:\Users\Admin\AppData\Local\Temp\dbcd0bd3d290667882c1ab2dba469f61.exe
"C:\Users\Admin\AppData\Local\Temp\dbcd0bd3d290667882c1ab2dba469f61.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/2620-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-81-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-80-0x0000000000D30000-0x0000000000D70000-memory.dmp

Filesize
256KB

Download
memory/2620-77-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2620-76-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-63-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-53-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-52-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-38-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-7-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-10-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-11-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-13-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-15-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-16-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-17-0x0000000077A60000-0x0000000077A62000-memory.dmp

Filesize
8KB

Download
memory/2936-18-0x0000000000CA0000-0x000000000134A000-memory.dmp

Filesize
6.7MB

Download
memory/2936-19-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2936-20-0x0000000000CA0000-0x000000000134A000-memory.dmp

Filesize
6.7MB

Download
memory/2936-22-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-24-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-23-0x0000000075D10000-0x0000000075D57000-memory.dmp

Filesize
284KB

Download
memory/2936-25-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-26-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-27-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-28-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-29-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-30-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-31-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2936-32-0x00000000053F0000-0x0000000005582000-memory.dmp

Filesize
1.6MB

Download
memory/2936-37-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-8-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-39-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2936-40-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-41-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-42-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-43-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-9-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-6-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-44-0x0000000005AF0000-0x0000000005BF0000-memory.dmp

Filesize
1024KB

Download
memory/2936-45-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-46-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-47-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-59-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-58-0x0000000000CA0000-0x000000000134A000-memory.dmp

Filesize
6.7MB

Download
memory/2936-61-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-64-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-65-0x0000000075D10000-0x0000000075D57000-memory.dmp

Filesize
284KB

Download
memory/2936-66-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-67-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-68-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-69-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-70-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-71-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-72-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-73-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-74-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-5-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-62-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-4-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-56-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-75-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-3-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-2-0x0000000075D10000-0x0000000075D57000-memory.dmp

Filesize
284KB

Download
memory/2936-78-0x00000000050D0000-0x0000000005110000-memory.dmp

Filesize
256KB

Download
memory/2936-79-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2936-1-0x0000000075D60000-0x0000000075E70000-memory.dmp

Filesize
1.1MB

Download
memory/2936-0-0x0000000000CA0000-0x000000000134A000-memory.dmp

Filesize
6.7MB

Download