Loading... Additional Content is being loaded
Windows
Analysis Report
RedEngine.exe
Overview
General Information
| Sample name: | RedEngine.exe |
| Analysis ID: | 1504561 |
| MD5: | 4fbb04c9e3aa983cbfc4980a7b5b7041 |
| SHA1: | 34aeca658462e638521bc384a4935251678a9a78 |
| SHA256: | 24f095f4f5796561cc9f9c60f71a2182fee89692f239c92e7447af3461e12731 |
| Tags: | exe |
| Infos: |   |
 |
|
Detection
Babadeda, RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule VBS From Appdata
Suricata IDS alerts for network traffic
Yara detected Babadeda
Yara detected Powershell download and execute
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Command shell drops VBS files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to infect the boot sector
Encrypted powershell cmdline option found
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell DownloadFile
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Babadeda | According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines. | No Attribution |
|
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
|
AV Detection |
  |
|---|
| Source: |
Avira: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
Integrated Neural Analysis Model: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Code function: |
31_2_648E6000 | |
Compliance |
|
|---|
| Source: |
Unpacked PE file: |
||
| Source: |
Static PE information: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
Static PE information: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: | ||