Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903.exe
Resource
win10v2004-20241007-en
General
-
Target
b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903.exe
-
Size
1.3MB
-
MD5
121e8893bd05485bbb98994c8fcd45c0
-
SHA1
3dcac8d1f6e8d39689d42fd0701e66a2f721bae1
-
SHA256
b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903
-
SHA512
ca9d99a381ea86ae4c4fe76409d28c865295747df04692e112d6b27748eaed7350a852c305487d7bc96e3255c8664b327e326c498c30f4ee26875917c21515a5
-
SSDEEP
24576:K8mNvMtmQCo4tBsnJRAaUkeYw9F3sDtj8BNQ+dvygj9eg0ixsgRgyEt7SyXoNm7l:K8mNEtfCztBsnDUnuDteBdlj9iihRgl/
Malware Config
Extracted
redline
@shakalkesha
85.209.89.134:41320
-
auth_value
162ccb101f8b04ca8af25c0592741d4e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903.exe"C:\Users\Admin\AppData\Local\Temp\b5a3293f6e5c3464ec54f929a9656f6fa87a12ebd3651aae302c4901a9c4b903.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:2936