redline | 262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb

Analysis

max time kernel
71s
max time network
192s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
16/10/2023, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe
Size

3.1MB
MD5

0c2f5ded9cb6a46f070bda0c18509c1e
SHA1

ee0f259887b4bdd125f429106e3457988187dd33
SHA256

262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb
SHA512

44555fb1f1d638033a82e5f06d83776efc3bd9d0a215b1e0a4bf8221b2b256d85060c4327946b426464f6a48cc88b4897738ac564834189e1cc30dec996c83ae
SSDEEP

49152:L/B1Ci1WvFpI4fsnEH8rZhjRP29qZBuve3FEaRq3AZ99F001Wp5w2PIHS:LK9+4sn9hjROIP/BRq3AH97WpNPu

Score

10^/10

redline evasion infostealer spyware themida trojan

Malware Config

Signatures

Detects DLL dropped by Raspberry Robin. 5 IoCs

Raspberry Robin.

resource	yara_rule
behavioral2/memory/4760-1-0x0000000074FE0000-0x00000000751A2000-memory.dmp	Raspberry_Robin_DLL_MAY_2022
behavioral2/memory/4760-2-0x0000000074FE0000-0x00000000751A2000-memory.dmp	Raspberry_Robin_DLL_MAY_2022
behavioral2/memory/4760-6-0x0000000074FE0000-0x00000000751A2000-memory.dmp	Raspberry_Robin_DLL_MAY_2022
behavioral2/memory/4760-19-0x0000000074FE0000-0x00000000751A2000-memory.dmp	Raspberry_Robin_DLL_MAY_2022
behavioral2/memory/4760-59-0x0000000074FE0000-0x00000000751A2000-memory.dmp	Raspberry_Robin_DLL_MAY_2022

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/164-50-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4760-13-0x0000000000890000-0x000000000100C000-memory.dmp	themida
behavioral2/memory/4760-58-0x0000000000890000-0x000000000100C000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 164	4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe	70

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe
4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe
164	AppLaunch.exe
164	AppLaunch.exe
164	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe
Token: SeDebugPrivilege	164	AppLaunch.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 164	4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe	70
PID 4760 wrote to memory of 164	4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe	70
PID 4760 wrote to memory of 164	4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe	70
PID 4760 wrote to memory of 164	4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe	70
PID 4760 wrote to memory of 164	4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe	70
PID 4760 wrote to memory of 164	4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe	70
PID 4760 wrote to memory of 164	4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe	70
PID 4760 wrote to memory of 164	4760	262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe	70

C:\Users\Admin\AppData\Local\Temp\262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe
"C:\Users\Admin\AppData\Local\Temp\262e90c269d9e14ffd85c28b4d13793daf3f6fb45a8dad07a73be091376adacb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/164-50-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/164-57-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/164-62-0x000000000B550000-0x000000000B560000-memory.dmp

Filesize
64KB

Download
memory/164-63-0x000000000C230000-0x000000000C836000-memory.dmp

Filesize
6.0MB

Download
memory/164-64-0x000000000B500000-0x000000000B512000-memory.dmp

Filesize
72KB

Download
memory/164-759-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/164-756-0x000000000B550000-0x000000000B560000-memory.dmp

Filesize
64KB

Download
memory/164-755-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/164-408-0x000000000AE80000-0x000000000AE9E000-memory.dmp

Filesize
120KB

Download
memory/164-407-0x000000000D990000-0x000000000DEBC000-memory.dmp

Filesize
5.2MB

Download
memory/164-406-0x000000000D290000-0x000000000D452000-memory.dmp

Filesize
1.8MB

Download
memory/164-405-0x000000000AD00000-0x000000000AD76000-memory.dmp

Filesize
472KB

Download
memory/164-72-0x000000000BDB0000-0x000000000BE16000-memory.dmp

Filesize
408KB

Download
memory/164-67-0x000000000B5E0000-0x000000000B62B000-memory.dmp

Filesize
300KB

Download
memory/164-66-0x000000000B5A0000-0x000000000B5DE000-memory.dmp

Filesize
248KB

Download
memory/164-65-0x000000000BC20000-0x000000000BD2A000-memory.dmp

Filesize
1.0MB

Download
memory/4760-27-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-43-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-17-0x0000000003870000-0x000000000387A000-memory.dmp

Filesize
40KB

Download
memory/4760-18-0x0000000000890000-0x000000000100C000-memory.dmp

Filesize
7.5MB

Download
memory/4760-19-0x0000000074FE0000-0x00000000751A2000-memory.dmp

Filesize
1.8MB

Download
memory/4760-20-0x00000000772A0000-0x0000000077370000-memory.dmp

Filesize
832KB

Download
memory/4760-21-0x00000000772A0000-0x0000000077370000-memory.dmp

Filesize
832KB

Download
memory/4760-23-0x00000000772A0000-0x0000000077370000-memory.dmp

Filesize
832KB

Download
memory/4760-24-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/4760-25-0x0000000005D60000-0x0000000005D7C000-memory.dmp

Filesize
112KB

Download
memory/4760-15-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/4760-26-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-29-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-31-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-33-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-35-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-37-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-39-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-41-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-16-0x0000000005A50000-0x0000000005AEC000-memory.dmp

Filesize
624KB

Download
memory/4760-45-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-47-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-49-0x0000000005D60000-0x0000000005D75000-memory.dmp

Filesize
84KB

Download
memory/4760-53-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/4760-58-0x0000000000890000-0x000000000100C000-memory.dmp

Filesize
7.5MB

Download
memory/4760-14-0x0000000006000000-0x00000000064FE000-memory.dmp

Filesize
5.0MB

Download
memory/4760-13-0x0000000000890000-0x000000000100C000-memory.dmp

Filesize
7.5MB

Download
memory/4760-12-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/4760-7-0x0000000077E24000-0x0000000077E25000-memory.dmp

Filesize
4KB

Download
memory/4760-6-0x0000000074FE0000-0x00000000751A2000-memory.dmp

Filesize
1.8MB

Download
memory/4760-5-0x00000000772A0000-0x0000000077370000-memory.dmp

Filesize
832KB

Download
memory/4760-4-0x00000000772A0000-0x0000000077370000-memory.dmp

Filesize
832KB

Download
memory/4760-3-0x00000000772A0000-0x0000000077370000-memory.dmp

Filesize
832KB

Download
memory/4760-2-0x0000000074FE0000-0x00000000751A2000-memory.dmp

Filesize
1.8MB

Download
memory/4760-1-0x0000000074FE0000-0x00000000751A2000-memory.dmp

Filesize
1.8MB

Download
memory/4760-0-0x0000000000890000-0x000000000100C000-memory.dmp

Filesize
7.5MB

Download
memory/4760-59-0x0000000074FE0000-0x00000000751A2000-memory.dmp

Filesize
1.8MB

Download
memory/4760-60-0x00000000772A0000-0x0000000077370000-memory.dmp

Filesize
832KB

Download
memory/4760-61-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download