Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2022 20:02
Static task
static1
Behavioral task
behavioral1
Sample
ApplicationSetup.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ApplicationSetup.exe
Resource
win10v2004-20221111-en
General
-
Target
ApplicationSetup.exe
-
Size
128.0MB
-
MD5
60ee531549f1d8f40c947c1c25de708c
-
SHA1
893bf49b923eefe5623e8911e574a3f0f9b0f06d
-
SHA256
6cbd68a14bf5c477faf6386b8d26c56595fed4e2a8acb66541d389fdd466b7cf
-
SHA512
af9811505c205f3aafe7fd5261c5753898a2e977750e8b0cdc8543978fedb41a2ab1d553bdc85cffa8b78bc4b699dc971ab01f0eaa847251115433985e02e96a
-
SSDEEP
196608:TPQ0KH/r+HRLsZdZw8JuOVGJRudWwTBh7wiMBQFOHS3nvSBrlY8L7e5D2OmtUrhy:6S+S
Malware Config
Extracted
redline
071222_youtube
newmeta.makelog.org:10737
-
auth_value
34d206cebf0fe398e291ff8c20b37b37
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
ApplicationSetup.exepid process 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ApplicationSetup.exedescription pid process target process PID 3848 set thread context of 1416 3848 ApplicationSetup.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ApplicationSetup.exepid process 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe 3848 ApplicationSetup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ApplicationSetup.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 3848 ApplicationSetup.exe Token: SeDebugPrivilege 1416 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ApplicationSetup.exedescription pid process target process PID 3848 wrote to memory of 1416 3848 ApplicationSetup.exe aspnet_compiler.exe PID 3848 wrote to memory of 1416 3848 ApplicationSetup.exe aspnet_compiler.exe PID 3848 wrote to memory of 1416 3848 ApplicationSetup.exe aspnet_compiler.exe PID 3848 wrote to memory of 1416 3848 ApplicationSetup.exe aspnet_compiler.exe PID 3848 wrote to memory of 1416 3848 ApplicationSetup.exe aspnet_compiler.exe PID 3848 wrote to memory of 1416 3848 ApplicationSetup.exe aspnet_compiler.exe PID 3848 wrote to memory of 1416 3848 ApplicationSetup.exe aspnet_compiler.exe PID 3848 wrote to memory of 1416 3848 ApplicationSetup.exe aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ApplicationSetup.exe"C:\Users\Admin\AppData\Local\Temp\ApplicationSetup.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416