77b9f0c79ae8a64eb8d2f6ad82089b44ceda4144a96840d47371548ead61a763

Reason

Machine shutdown

General

Target

Redline_20_2/Redline_20_2_stealer-main/Panel/RedLine_20_2/Panel/Panel.exe
Size

21.2MB
MD5

70f64e55852f812c8ce30b7831accf70
SHA1

4ee00b44ce66d871bd69c2ff4d72547953baf488
SHA256

61e44f8baccf9d80daa45a5b618c3faaee7b8cdedad4656eb99f49ee80f318fb
SHA512

98056894cbea8221af6c7b35a020348e180aefc29b87eb420f215724e5f29bac3418b7dd88dc00dfe0c5adaaffac0bd9da68f2d5dae7a724cf542198e96999eb
SSDEEP

393216:acc0kqRY78G0CYXRpDmbdTTia/7USGo+3rjmKr4YYH+EUWpgX:acbkVoGJMflhZ3rjB4cW6

Score

9^/10

agilenet evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Panel.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Panel.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Panel.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Panel.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Panel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Panel.exe

Loads dropped DLL 1 IoCs

Processes:

Panel.exe

pid process

4376 Panel.exe

pid	process
4376	Panel.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral10/memory/4376-1-0x0000000000F90000-0x00000000024BE000-memory.dmp	agile_net

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\e7953afe-ec0f-4b79-878f-78af41339d50\AgileDotNetRT.dll	themida
behavioral10/memory/4376-10-0x0000000072880000-0x0000000073005000-memory.dmp	themida
behavioral10/memory/4376-13-0x0000000072880000-0x0000000073005000-memory.dmp	themida
behavioral10/memory/4376-14-0x0000000072880000-0x0000000073005000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Panel.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Panel.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Panel.exe

pid process

4376 Panel.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Panel.exe

pid process

4376 Panel.exe
4376 Panel.exe
4376 Panel.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Panel.exe

flow	ioc
7	ip-api.com

pid	process
4376	Panel.exe

pid	process
4376	Panel.exe
4376	Panel.exe
4376	Panel.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

Panel.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	4376	Panel.exe
Token: SeIncreaseQuotaPrivilege	4440	wmic.exe
Token: SeSecurityPrivilege	4440	wmic.exe
Token: SeTakeOwnershipPrivilege	4440	wmic.exe
Token: SeLoadDriverPrivilege	4440	wmic.exe
Token: SeSystemProfilePrivilege	4440	wmic.exe
Token: SeSystemtimePrivilege	4440	wmic.exe
Token: SeProfSingleProcessPrivilege	4440	wmic.exe
Token: SeIncBasePriorityPrivilege	4440	wmic.exe
Token: SeCreatePagefilePrivilege	4440	wmic.exe
Token: SeBackupPrivilege	4440	wmic.exe
Token: SeRestorePrivilege	4440	wmic.exe
Token: SeShutdownPrivilege	4440	wmic.exe
Token: SeDebugPrivilege	4440	wmic.exe
Token: SeSystemEnvironmentPrivilege	4440	wmic.exe
Token: SeRemoteShutdownPrivilege	4440	wmic.exe
Token: SeUndockPrivilege	4440	wmic.exe
Token: SeManageVolumePrivilege	4440	wmic.exe
Token: 33	4440	wmic.exe
Token: 34	4440	wmic.exe
Token: 35	4440	wmic.exe
Token: 36	4440	wmic.exe
Token: SeIncreaseQuotaPrivilege	4440	wmic.exe
Token: SeSecurityPrivilege	4440	wmic.exe
Token: SeTakeOwnershipPrivilege	4440	wmic.exe
Token: SeLoadDriverPrivilege	4440	wmic.exe
Token: SeSystemProfilePrivilege	4440	wmic.exe
Token: SeSystemtimePrivilege	4440	wmic.exe
Token: SeProfSingleProcessPrivilege	4440	wmic.exe
Token: SeIncBasePriorityPrivilege	4440	wmic.exe
Token: SeCreatePagefilePrivilege	4440	wmic.exe
Token: SeBackupPrivilege	4440	wmic.exe
Token: SeRestorePrivilege	4440	wmic.exe
Token: SeShutdownPrivilege	4440	wmic.exe
Token: SeDebugPrivilege	4440	wmic.exe
Token: SeSystemEnvironmentPrivilege	4440	wmic.exe
Token: SeRemoteShutdownPrivilege	4440	wmic.exe
Token: SeUndockPrivilege	4440	wmic.exe
Token: SeManageVolumePrivilege	4440	wmic.exe
Token: 33	4440	wmic.exe
Token: 34	4440	wmic.exe
Token: 35	4440	wmic.exe
Token: 36	4440	wmic.exe
Token: SeShutdownPrivilege	4376	Panel.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Panel.exe

description	pid	process	target process
PID 4376 wrote to memory of 4440	4376	Panel.exe	wmic.exe
PID 4376 wrote to memory of 4440	4376	Panel.exe	wmic.exe
PID 4376 wrote to memory of 4440	4376	Panel.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\Redline_20_2\Redline_20_2_stealer-main\Panel\RedLine_20_2\Panel\Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Redline_20_2\Redline_20_2_stealer-main\Panel\RedLine_20_2\Panel\Panel.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e7953afe-ec0f-4b79-878f-78af41339d50\AgileDotNetRT.dll

Filesize
2.8MB

MD5
1e275530f75ec0222ad0a49117819936

SHA1
c469db9377442dc65d1c4c6cc5985b28cb1c26e2

SHA256
d8519a2a1f40baeb1ee2e6eb1aca27745e5dcab7c046d65b27246e24af57d2bb

SHA512
76af1a2193a3b4dc6adc31c9d160b368c6d1a6368af1e99065b53c01cd1c6a93533167a570e6ea68959eeb06b24664f182ad7eef5d7f1ecbfc4cd55e83a72061

Download Submit
memory/4376-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/4376-1-0x0000000000F90000-0x00000000024BE000-memory.dmp

Filesize
21.2MB

Download
memory/4376-2-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-10-0x0000000072880000-0x0000000073005000-memory.dmp

Filesize
7.5MB

Download
memory/4376-11-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-13-0x0000000072880000-0x0000000073005000-memory.dmp

Filesize
7.5MB

Download
memory/4376-14-0x0000000072880000-0x0000000073005000-memory.dmp

Filesize
7.5MB

Download
memory/4376-15-0x0000000073AA0000-0x0000000073B29000-memory.dmp

Filesize
548KB

Download
memory/4376-16-0x0000000007FD0000-0x0000000008574000-memory.dmp

Filesize
5.6MB

Download
memory/4376-17-0x0000000007AC0000-0x0000000007B52000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads