General
-
Target
sample
-
Size
449KB
-
Sample
241016-x9kavssarm
-
MD5
f4662a16e4566ae667ef4833fbb225f8
-
SHA1
1680bbd0f8a13ceffcbeca440130c07a873f7e7d
-
SHA256
2550ae9fe196804a832cf87e2c8bb60fd066596c9a5a4fcfc211a21090a603f1
-
SHA512
065f9d9253ba28df950d0111a1c420a8ace0850062a9859ba767b1c5374296e3091bd7604a86e1b3abfd5994b94ca4643e48f97fd55840930d4494ca48e35a40
-
SSDEEP
3072:bQNPt7/6rjEcYLLSpI4sCJE8V+caQ0eiSX3R6kAdoS7+XZ1uaA/mj:bUPSpI23R6kAd2XZTAq
Static task
static1
Behavioral task
behavioral1
Sample
sample.html
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
sample
-
Size
449KB
-
MD5
f4662a16e4566ae667ef4833fbb225f8
-
SHA1
1680bbd0f8a13ceffcbeca440130c07a873f7e7d
-
SHA256
2550ae9fe196804a832cf87e2c8bb60fd066596c9a5a4fcfc211a21090a603f1
-
SHA512
065f9d9253ba28df950d0111a1c420a8ace0850062a9859ba767b1c5374296e3091bd7604a86e1b3abfd5994b94ca4643e48f97fd55840930d4494ca48e35a40
-
SSDEEP
3072:bQNPt7/6rjEcYLLSpI4sCJE8V+caQ0eiSX3R6kAdoS7+XZ1uaA/mj:bUPSpI23R6kAd2XZTAq
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Event Triggered Execution: Image File Execution Options Injection
-
Sets service image path in registry
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
3Browser Extensions
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
5AppInit DLLs
1Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Event Triggered Execution
5AppInit DLLs
1Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Indicator Removal
1Clear Persistence
1Modify Registry
11Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
3Query Registry
9Software Discovery
1Security Software Discovery
1System Information Discovery
9System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1