Overview

overview

10

Static

static

setup_x86_...0).exe

windows7_x64

10

setup_x86_...0).exe

windows10_x64

10

setup_x86_...1).exe

windows7_x64

10

setup_x86_...1).exe

windows10_x64

10

setup_x86_...2).exe

windows7_x64

setup_x86_...2).exe

windows10_x64

10

setup_x86_...3).exe

windows7_x64

10

setup_x86_...3).exe

windows10_x64

10

setup_x86_...4).exe

windows7_x64

10

setup_x86_...4).exe

windows10_x64

10

setup_x86_...5).exe

windows7_x64

10

setup_x86_...5).exe

windows10_x64

10

setup_x86_...6).exe

windows7_x64

10

setup_x86_...6).exe

windows10_x64

10

setup_x86_...7).exe

windows7_x64

10

setup_x86_...7).exe

windows10_x64

10

setup_x86_...8).exe

windows7_x64

10

setup_x86_...8).exe

windows10_x64

10

setup_x86_...9).exe

windows7_x64

10

setup_x86_...9).exe

windows10_x64

10

setup_x86_...2).exe

windows7_x64

10

setup_x86_...2).exe

windows10_x64

10

setup_x86_...0).exe

windows7_x64

10

setup_x86_...0).exe

windows10_x64

10

setup_x86_...1).exe

windows7_x64

10

setup_x86_...1).exe

windows10_x64

10

setup_x86_...2).exe

windows7_x64

10

setup_x86_...2).exe

windows10_x64

10

setup_x86_...3).exe

windows7_x64

10

setup_x86_...3).exe

windows10_x64

10

setup_x86_...3).exe

windows7_x64

10

setup_x86_...3).exe

windows10_x64

10

Resubmissions

11-07-2024 05:43

240711-gej4lstgrf 10

06-09-2021 14:13

210906-rjpvrsedbm 10

08-07-2021 11:08

210708-4gztl3mwl6 10

08-07-2021 08:02

210708-klfb4qeda6 10

07-07-2021 09:39

210707-nem57xyvf2 10

06-07-2021 17:51

210706-7pcrmjy3fa 10

06-07-2021 13:45

210706-eybelwcq86 10

Analysis

  • max time kernel
    1534s
  • max time network
    1575s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    06-09-2021 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install - копия (15).exe

  • Size

    3.2MB

  • MD5

    3ae1c212119919e5fce71247286f8e0e

  • SHA1

    97c1890ab73c539056f95eafede319df774e9d38

  • SHA256

    30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

  • SHA512

    5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

Score
10/10
redlinevidar706servaniaspackv2evasioninfostealerstealertrojan

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

redline

Botnet

ServAni

C2

87.251.71.195:82

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 14 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 60 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 20 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:872
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:1824
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2004
    • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (15).exe
      "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (15).exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1328
        • C:\Users\Admin\AppData\Local\Temp\7zS03567F15\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS03567F15\setup_install.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_1.exe
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Users\Admin\AppData\Local\Temp\7zS03567F15\arnatic_1.exe
              arnatic_1.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1460
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 948
                6⤵
                • Loads dropped DLL
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:1476
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_2.exe
            4⤵
              PID:1728
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c arnatic_3.exe
              4⤵
              • Loads dropped DLL
              PID:920
              • C:\Users\Admin\AppData\Local\Temp\7zS03567F15\arnatic_3.exe
                arnatic_3.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1292
                • C:\Windows\SysWOW64\rUNdlL32.eXe
                  "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                  6⤵
                  • Loads dropped DLL
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:764
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c arnatic_4.exe
              4⤵
              • Loads dropped DLL
              PID:1632
              • C:\Users\Admin\AppData\Local\Temp\7zS03567F15\arnatic_4.exe
                arnatic_4.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system certificate store
                PID:512
                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:812
                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  PID:268
                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:1668
                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:1296
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c arnatic_5.exe
              4⤵
              • Loads dropped DLL
              PID:1644
              • C:\Users\Admin\AppData\Local\Temp\7zS03567F15\arnatic_5.exe
                arnatic_5.exe
                5⤵
                • Executes dropped EXE
                • Modifies system certificate store
                • Suspicious use of AdjustPrivilegeToken
                PID:1288
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c arnatic_6.exe
              4⤵
              • Loads dropped DLL
              PID:968
              • C:\Users\Admin\AppData\Local\Temp\7zS03567F15\arnatic_6.exe
                arnatic_6.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system certificate store
                PID:1764
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c arnatic_7.exe
              4⤵
              • Loads dropped DLL
              PID:300
              • C:\Users\Admin\AppData\Local\Temp\7zS03567F15\arnatic_7.exe
                arnatic_7.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                PID:900
                • C:\Users\Admin\AppData\Local\Temp\7zS03567F15\arnatic_7.exe
                  C:\Users\Admin\AppData\Local\Temp\7zS03567F15\arnatic_7.exe
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1736

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/764-167-0x0000000002290000-0x0000000002391000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/764-169-0x0000000000360000-0x00000000003BD000-memory.dmp

        Filesize

        372KB

        Download

      • memory/872-168-0x0000000000A90000-0x0000000000ADC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/872-170-0x00000000014C0000-0x0000000001531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/900-157-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1204-89-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1204-106-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1204-91-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1204-90-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1204-93-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1204-95-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1204-97-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1204-94-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1204-107-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1204-109-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1204-92-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1204-96-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1288-147-0x0000000000A70000-0x0000000000A71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1288-155-0x0000000000380000-0x0000000000381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1288-156-0x000000001AF50000-0x000000001AF52000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1288-154-0x0000000000360000-0x000000000037F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1288-153-0x0000000000350000-0x0000000000351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1460-175-0x0000000000400000-0x0000000000949000-memory.dmp

        Filesize

        5.3MB

        Download

      • memory/1460-173-0x0000000000950000-0x00000000009ED000-memory.dmp

        Filesize

        628KB

        Download

      • memory/1476-194-0x0000000000830000-0x0000000000831000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1736-176-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1736-189-0x00000000044D0000-0x00000000044D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1736-182-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1808-60-0x0000000076641000-0x0000000076643000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1824-174-0x0000000000480000-0x00000000004F1000-memory.dmp

        Filesize

        452KB

        Download

      • memory/2004-198-0x00000000000E0000-0x000000000012E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2004-199-0x0000000000470000-0x00000000004E4000-memory.dmp

        Filesize

        464KB

        Download

      • memory/2004-200-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2004-201-0x0000000001C10000-0x0000000001C2B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2004-202-0x00000000030D0000-0x00000000031D6000-memory.dmp

        Filesize

        1.0MB

        Download