Managed XDR

raid-kostada2-outputs_...56378d573e79237bdf89c3 (RedLine Stealer) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: raid-kostada2-outputs_reduced_dataset-pesidious_1772633321-mutated_bazaar.2023.01__heur-trojan.win32.chapak_vho.vho-fdeba14e8d3c73ba746d71ae29729d1ac02d808b6056378d573e79237bdf89c3
Тип файла: PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла: 1.2 MB
Первое обнаружение: 2026-03-05 14:58
Последнее обнаружение: 2026-03-05 14:58

Окружение

w10/x64 en

Хеши

SHA1: 9b9f4b895f73f942566d53ec1b20df2575239829
SHA256: 47c6400000d0803589f4e70d6e8405ce9db64b70dff3695ba502074a14138f8b
MD5: ac0751f203beeffa07227eb7c0c0d7a6

Вредоносное ПО

RedLine Stealer

Сигнатуры

Execution

T1059.007 bad_js: Suspicious Javascript file

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1562 dep_disable: Disables DEP

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1027.002 pe_features: Executable file has PE anomalies (may be false positive)

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Other

yara_rules: Static rules

modifies_certs: Attempts to generate or modify system certificates

dead_host: Connects to IP addresses that do not respond to requests

static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names

origin_langid: Unconventional language of the executable file

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

js_suspicious: Suspicious javascript