Overview

overview

10

Static

static

7

SoftwareSetupFile.exe

windows7-x64

7

SoftwareSetupFile.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    205s
  • max time network
    211s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2022 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SoftwareSetupFile.exe

  • Size

    1.1MB

  • MD5

    a556f115bbafe2cbc392f37775140807

  • SHA1

    61abcc6e03b291970489b641634f3faa2c052946

  • SHA256

    023e051091cf055f6544cdf73b0287dd25087cd6235d798793503d6ddbd0d061

  • SHA512

    4f460c703ef34cea163bd3d47a2986a312c7261acde5daa2312df94d3eb587892d7dc2453efdfb9f0190e4baf9fce9a9b37fc2fe1408dae54975a6af6a03f2b2

  • SSDEEP

    24576:MpwRaY3FAaKEY2zyIe93w5DckiRi66MUZuBgVneTvcwH+pv5hxDtVQRIwnl2/2h3:MpwRaY3FAaKEY2zyJ93w5DckiRi66MU+

Score
10/10
redlineslabo krutish 2agilenetinfostealer

Malware Config

Extracted

Family

redline

Botnet

slabo krutish 2

C2

78.47.191.142:63772

Attributes
  • auth_value

    f65ad1dc3b50bd274e38a201f0121669

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile.exe
    "C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
      2⤵
        PID:4840

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3036-132-0x0000000000E40000-0x0000000000F6C000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3036-133-0x00000000058E0000-0x0000000005972000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4840-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4840-135-0x0000000000400000-0x0000000000432000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4840-136-0x0000000005660000-0x0000000005C78000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4840-137-0x00000000051E0000-0x00000000052EA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4840-138-0x0000000005110000-0x0000000005122000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4840-139-0x00000000051A0000-0x00000000051DC000-memory.dmp
      Filesize

      240KB

      Download