Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 11:24
Static task
static1
Behavioral task
behavioral1
Sample
58cd344626319c5b2a533871979b4225.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
58cd344626319c5b2a533871979b4225.exe
Resource
win10v2004-20231215-en
General
-
Target
58cd344626319c5b2a533871979b4225.exe
-
Size
1.9MB
-
MD5
58cd344626319c5b2a533871979b4225
-
SHA1
7720d2f88a0ea1495ae13ceb6f9d5d08fa6a696e
-
SHA256
c3e9175742396eb00a44a0c826d698ad3e639159d2ad81391f2a42e74196340e
-
SHA512
7effb6fb2be297a3f5de7b6d85e3855eb667f80ae8649cdd0c6a3e8a4e3d691bfd817ae4c4630667f7104dd3ba5502c8558653d98756e7aefe60bce3a6522881
-
SSDEEP
49152:v/QOhFsIBdVbb6Wvg6glBFSsSeRRoN83a5lbvw:v/bFsQfb6WvdglBFSCR2JI
Malware Config
Extracted
redline
qawsedrf
65.21.162.231:41328
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral1/memory/2940-9-0x0000000001070000-0x0000000001546000-memory.dmp family_sectoprat behavioral1/memory/2940-6-0x0000000001070000-0x0000000001546000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 58cd344626319c5b2a533871979b4225.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 58cd344626319c5b2a533871979b4225.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 58cd344626319c5b2a533871979b4225.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Wine 58cd344626319c5b2a533871979b4225.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 58cd344626319c5b2a533871979b4225.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 58cd344626319c5b2a533871979b4225.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2940 58cd344626319c5b2a533871979b4225.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2940 58cd344626319c5b2a533871979b4225.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2940 58cd344626319c5b2a533871979b4225.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58cd344626319c5b2a533871979b4225.exe"C:\Users\Admin\AppData\Local\Temp\58cd344626319c5b2a533871979b4225.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940