Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 06:45

General

  • Target

    SoftwareSetupFile.exe

  • Size

    2.5MB

  • MD5

    7106bab16ae64b7f9bed1b90a2bbf03f

  • SHA1

    ac6fae9627cf58654bc167bd63432111be9fd71e

  • SHA256

    2a0e09e83a2f7198f6a9595d957dfcf0dcdf86a1c65ef4211c50eb15dd4ad598

  • SHA512

    01cc49a5e6df8c6dfe197d4b638e60313b11f0efb016be29c457dc00ea5690c8d047c56cbff9f0c4a4a9c1b1b135dd2f7d2ccf4ca53856d398444d47368176e5

  • SSDEEP

    24576:pI3cT50k2PYbtJcLQ/KpE2lcpZCyphghPUuZLxNjcFttg7qFCMSrOfBFJm4kazYc:E3qCs/AE2lhhsa1N8/FKeFJm4vAKjv

Malware Config

Extracted

Family

redline

Botnet

jiguli2

C2

78.47.191.142:63772

Attributes
  • auth_value

    8885b314866def6ca43d3df3c4c20819

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile.exe
    "C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
      2⤵
        PID:4368
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1800

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1800-138-0x00000000054C0000-0x00000000055CA000-memory.dmp

      Filesize

      1.0MB

    • memory/1800-136-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

    • memory/1800-137-0x00000000059A0000-0x0000000005FB8000-memory.dmp

      Filesize

      6.1MB

    • memory/1800-139-0x00000000053F0000-0x0000000005402000-memory.dmp

      Filesize

      72KB

    • memory/1800-140-0x00000000055D0000-0x000000000560C000-memory.dmp

      Filesize

      240KB

    • memory/1800-141-0x0000000005760000-0x00000000057C6000-memory.dmp

      Filesize

      408KB

    • memory/1800-142-0x00000000069B0000-0x0000000006F54000-memory.dmp

      Filesize

      5.6MB

    • memory/1800-143-0x0000000007BE0000-0x0000000007DA2000-memory.dmp

      Filesize

      1.8MB

    • memory/1800-144-0x00000000082E0000-0x000000000880C000-memory.dmp

      Filesize

      5.2MB

    • memory/4848-133-0x0000000005130000-0x00000000051C2000-memory.dmp

      Filesize

      584KB

    • memory/4848-132-0x0000000000510000-0x0000000000794000-memory.dmp

      Filesize

      2.5MB