Analysis
-
max time kernel
205s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2022 08:57
Behavioral task
behavioral1
Sample
SoftwareSetupFile.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SoftwareSetupFile.exe
Resource
win10v2004-20221111-en
General
-
Target
SoftwareSetupFile.exe
-
Size
1.1MB
-
MD5
a556f115bbafe2cbc392f37775140807
-
SHA1
61abcc6e03b291970489b641634f3faa2c052946
-
SHA256
023e051091cf055f6544cdf73b0287dd25087cd6235d798793503d6ddbd0d061
-
SHA512
4f460c703ef34cea163bd3d47a2986a312c7261acde5daa2312df94d3eb587892d7dc2453efdfb9f0190e4baf9fce9a9b37fc2fe1408dae54975a6af6a03f2b2
-
SSDEEP
24576:MpwRaY3FAaKEY2zyIe93w5DckiRi66MUZuBgVneTvcwH+pv5hxDtVQRIwnl2/2h3:MpwRaY3FAaKEY2zyJ93w5DckiRi66MU+
Malware Config
Extracted
redline
slabo krutish 2
78.47.191.142:63772
-
auth_value
f65ad1dc3b50bd274e38a201f0121669
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3036-132-0x0000000000E40000-0x0000000000F6C000-memory.dmp agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
SoftwareSetupFile.exepid process 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SoftwareSetupFile.exedescription pid process target process PID 3036 set thread context of 4840 3036 SoftwareSetupFile.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SoftwareSetupFile.exepid process 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe 3036 SoftwareSetupFile.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SoftwareSetupFile.exedescription pid process Token: SeDebugPrivilege 3036 SoftwareSetupFile.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SoftwareSetupFile.exedescription pid process target process PID 3036 wrote to memory of 4840 3036 SoftwareSetupFile.exe aspnet_compiler.exe PID 3036 wrote to memory of 4840 3036 SoftwareSetupFile.exe aspnet_compiler.exe PID 3036 wrote to memory of 4840 3036 SoftwareSetupFile.exe aspnet_compiler.exe PID 3036 wrote to memory of 4840 3036 SoftwareSetupFile.exe aspnet_compiler.exe PID 3036 wrote to memory of 4840 3036 SoftwareSetupFile.exe aspnet_compiler.exe PID 3036 wrote to memory of 4840 3036 SoftwareSetupFile.exe aspnet_compiler.exe PID 3036 wrote to memory of 4840 3036 SoftwareSetupFile.exe aspnet_compiler.exe PID 3036 wrote to memory of 4840 3036 SoftwareSetupFile.exe aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile.exe"C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3036-132-0x0000000000E40000-0x0000000000F6C000-memory.dmpFilesize
1.2MB
-
memory/3036-133-0x00000000058E0000-0x0000000005972000-memory.dmpFilesize
584KB
-
memory/4840-134-0x0000000000000000-mapping.dmp
-
memory/4840-135-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4840-136-0x0000000005660000-0x0000000005C78000-memory.dmpFilesize
6.1MB
-
memory/4840-137-0x00000000051E0000-0x00000000052EA000-memory.dmpFilesize
1.0MB
-
memory/4840-138-0x0000000005110000-0x0000000005122000-memory.dmpFilesize
72KB
-
memory/4840-139-0x00000000051A0000-0x00000000051DC000-memory.dmpFilesize
240KB