redline | a8273705002785a0db17525650ef59ad3ddf6b475ac9475a7a8d00f3893e9adf

General

Target

VMXSPF/VMXSPF.exe
Size

3.5MB
MD5

39bf6ccd737cc9c0c3801fc3b3455441
SHA1

7a51f28bbb4da653119fb0fa1679ef67b906e5f1
SHA256

e1a7972f5375eeb34a3f3a4d1177704ed211044c9e24e4ac601f582ce47f10a1
SHA512

98b5b88440e8acfcf57d2cdba686ad4848a0a6140dbfed6d1ba69a4ef0fbe9b8e6e96fd767fa3b3997ebbef00df68c7c26ec40d45ab23c185c51f06926c62aec
SSDEEP

98304:9JyDACLJdRIAGM9wqp4cOPs3fH0MtZ/1X:raACLJdvGMGcgUfUyZ

Score

10^/10

redline sectoprat credential_access discovery evasion infostealer rat spyware stealer themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2900-11-0x0000000000400000-0x0000000000D36000-memory.dmp	family_sectoprat
behavioral1/memory/2900-12-0x0000000000400000-0x0000000000D36000-memory.dmp	family_sectoprat
behavioral1/memory/2900-203-0x0000000000400000-0x0000000000D36000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

VMXSPF.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VMXSPF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VMXSPF.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VMXSPF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VMXSPF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VMXSPF.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2900-11-0x0000000000400000-0x0000000000D36000-memory.dmp	themida
behavioral1/memory/2900-12-0x0000000000400000-0x0000000000D36000-memory.dmp	themida
behavioral1/memory/2900-203-0x0000000000400000-0x0000000000D36000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

VMXSPF.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VMXSPF.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

VMXSPF.exe

pid process

2900 VMXSPF.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

VMXSPF.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VMXSPF.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

VMXSPF.exe

pid process

2900 VMXSPF.exe
2900 VMXSPF.exe
2900 VMXSPF.exe
2900 VMXSPF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

VMXSPF.exe

description pid process

Token: SeDebugPrivilege 2900 VMXSPF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VMXSPF.exe

pid	process
2900	VMXSPF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VMXSPF.exe

pid	process
2900	VMXSPF.exe
2900	VMXSPF.exe
2900	VMXSPF.exe
2900	VMXSPF.exe

description	pid	process
Token: SeDebugPrivilege	2900	VMXSPF.exe

C:\Users\Admin\AppData\Local\Temp\VMXSPF\VMXSPF.exe
"C:\Users\Admin\AppData\Local\Temp\VMXSPF\VMXSPF.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpED8D.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDA3.tmp

Filesize
114KB

MD5
db26309558628fa1ef6a1edd23ab2b09

SHA1
9bfb0530d0c2dcc6f9b3947bc3ca602943356368

SHA256
e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070

SHA512
4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDDE.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDF3.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDF9.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE25.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
memory/2900-7-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2900-4-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2900-0-0x0000000000400000-0x0000000000D36000-memory.dmp

Filesize
9.2MB

Download
memory/2900-9-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2900-11-0x0000000000400000-0x0000000000D36000-memory.dmp

Filesize
9.2MB

Download
memory/2900-12-0x0000000000400000-0x0000000000D36000-memory.dmp

Filesize
9.2MB

Download
memory/2900-13-0x00000000053B0000-0x00000000059C8000-memory.dmp

Filesize
6.1MB

Download
memory/2900-14-0x0000000005A10000-0x0000000005A22000-memory.dmp

Filesize
72KB

Download
memory/2900-15-0x0000000005A70000-0x0000000005AAC000-memory.dmp

Filesize
240KB

Download
memory/2900-16-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

Filesize
304KB

Download
memory/2900-17-0x0000000005C20000-0x0000000005D2A000-memory.dmp

Filesize
1.0MB

Download
memory/2900-18-0x0000000006820000-0x00000000069E2000-memory.dmp

Filesize
1.8MB

Download
memory/2900-19-0x00000000069F0000-0x0000000006F1C000-memory.dmp

Filesize
5.2MB

Download
memory/2900-5-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2900-6-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2900-8-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2900-2-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2900-3-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2900-1-0x0000000075F80000-0x0000000075F81000-memory.dmp

Filesize
4KB

Download
memory/2900-174-0x0000000007040000-0x00000000070A6000-memory.dmp

Filesize
408KB

Download
memory/2900-175-0x0000000000400000-0x0000000000D36000-memory.dmp

Filesize
9.2MB

Download
memory/2900-176-0x0000000007250000-0x00000000077F4000-memory.dmp

Filesize
5.6MB

Download
memory/2900-177-0x0000000007870000-0x0000000007902000-memory.dmp

Filesize
584KB

Download
memory/2900-178-0x0000000007930000-0x00000000079A6000-memory.dmp

Filesize
472KB

Download
memory/2900-179-0x0000000007BB0000-0x0000000007BCE000-memory.dmp

Filesize
120KB

Download
memory/2900-199-0x0000000075F80000-0x0000000075F81000-memory.dmp

Filesize
4KB

Download
memory/2900-200-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download
memory/2900-203-0x0000000000400000-0x0000000000D36000-memory.dmp

Filesize
9.2MB

Download
memory/2900-204-0x0000000075F60000-0x0000000076050000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads