Overview

overview

10

Static

static

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/07/2022, 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    2.5MB

  • MD5

    692bb5c0a6be51f599fc7c89b54ed533

  • SHA1

    6ecc3892d959822a7a5d4803f665d4407e70dbe1

  • SHA256

    158e17bf5074a1e8e04d1f76adb1b19991e8646be719149bc2f3c93300ab544c

  • SHA512

    a79cd83a17532ab4bdd458cc4b5c997a57de6d65708bb01bec1e133040ad9870303a259442c9b7e3fffc8c45ea97da07c9f1b802f9361203af4ac28b414f6450

Score
10/10
redlineytstealerinfostealerspywarestealerupx

Malware Config

Extracted

Family

redline

C2

193.106.191.160:8673

Attributes
  • auth_value

    6988f8340a66b40e87fa1375bd2f916c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:197028
      • C:\Users\Admin\AppData\Roaming\yu.exe
        "C:\Users\Admin\AppData\Roaming\yu.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\yu.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3416
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 0
            5⤵
              PID:2628

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\yu.exe
      Filesize

      4.0MB

      MD5

      da70d0aab8cad0887e5e9b5174c9d87d

      SHA1

      af5096c0b9fd4f4926850c4479c8e0e0eac8c91b

      SHA256

      6617c1ab08b88711538b600fc4c5cf76098088b436185f5590cdb0e1fc1f6b13

      SHA512

      c100a08bccfa00dcf93160b6174940db1b6839aafbbaec8caa25c4c0e004c96aebf243552df85b7dff56915401bfcb0ecb9caa9bce2edf0d29a9b52c849ebcc5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\yu.exe
      Filesize

      4.0MB

      MD5

      da70d0aab8cad0887e5e9b5174c9d87d

      SHA1

      af5096c0b9fd4f4926850c4479c8e0e0eac8c91b

      SHA256

      6617c1ab08b88711538b600fc4c5cf76098088b436185f5590cdb0e1fc1f6b13

      SHA512

      c100a08bccfa00dcf93160b6174940db1b6839aafbbaec8caa25c4c0e004c96aebf243552df85b7dff56915401bfcb0ecb9caa9bce2edf0d29a9b52c849ebcc5

      Download Submit

    • memory/1584-155-0x0000000000F60000-0x0000000001D38000-memory.dmp

      Filesize

      13.8MB

      Download

    • memory/1584-152-0x0000000000F60000-0x0000000001D38000-memory.dmp

      Filesize

      13.8MB

      Download

    • memory/1584-151-0x0000000000F60000-0x0000000001D38000-memory.dmp

      Filesize

      13.8MB

      Download

    • memory/197028-139-0x0000000004C70000-0x0000000004CAC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/197028-141-0x00000000050D0000-0x0000000005162000-memory.dmp

      Filesize

      584KB

      Download

    • memory/197028-144-0x0000000005BB0000-0x0000000005C16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/197028-145-0x0000000006730000-0x0000000006780000-memory.dmp

      Filesize

      320KB

      Download

    • memory/197028-146-0x0000000007600000-0x00000000077C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/197028-147-0x0000000007D00000-0x000000000822C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/197028-142-0x0000000005D70000-0x0000000006314000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/197028-143-0x00000000058C0000-0x00000000058DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/197028-140-0x0000000004FB0000-0x0000000005026000-memory.dmp

      Filesize

      472KB

      Download

    • memory/197028-138-0x0000000004D40000-0x0000000004E4A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/197028-137-0x0000000004C10000-0x0000000004C22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/197028-136-0x00000000051A0000-0x00000000057B8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/197028-131-0x0000000000340000-0x0000000000360000-memory.dmp

      Filesize

      128KB

      Download