Overview

overview

10

Static

static

1

INSTALLER.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    60s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    12-03-2023 11:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INSTALLER.exe

  • Size

    479.4MB

  • MD5

    43419f7e188f034a4f89b113870581a0

  • SHA1

    ca1762910a1169145ad49221ebf76b64e0db44b4

  • SHA256

    2175df96480d4b2c408d0e5a01533f970ef6b46c5d66762e960e3d1d02498179

  • SHA512

    d99e0cab1455b7b487d2a1657bff93c5caad0135f43421ed5124177525b8093883c7869b43106b14535bcb67fcdfef11026b494ccf78a90c2acf33c9e7c2f3a1

  • SSDEEP

    49152:9YyZTz3ZgzgaZyqU1B2uFSBhopuQJcnomyGoFo20AtObf2ECPTMGNRZCq7vOz61D:dpqvU/2HfDacnoFVO4TMGvsqKE4lP99e

Score
10/10
redlineinfostealerspyware

Malware Config

Extracted

Family

redline

C2

82.115.223.140:31656

Attributes
  • auth_value

    6a82f1fb90afb278c299e83d46279927

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 50 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
    "C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
      2⤵
        PID:2132
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
        2⤵
          PID:5076
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
          2⤵
            PID:864
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
            2⤵
              PID:1020
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
              2⤵
                PID:2608
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
                2⤵
                  PID:4104
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
                  2⤵
                    PID:5040
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
                    2⤵
                      PID:4432
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
                      2⤵
                        PID:4164
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
                        2⤵
                          PID:4052
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1672
                      • C:\Windows\system32\taskmgr.exe
                        "C:\Windows\system32\taskmgr.exe" /7
                        1⤵
                        • Checks SCSI registry key(s)
                        • Checks processor information in registry
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:4308

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/1672-148-0x0000000005F40000-0x0000000006042000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/1672-167-0x0000000007B80000-0x00000000080AC000-memory.dmp

                        Filesize

                        5.2MB

                        Download

                      • memory/1672-149-0x0000000005E30000-0x0000000005E96000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/1672-166-0x0000000007480000-0x0000000007642000-memory.dmp

                        Filesize

                        1.8MB

                        Download

                      • memory/1672-165-0x0000000004EF0000-0x0000000004F00000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1672-138-0x0000000000400000-0x0000000000446000-memory.dmp

                        Filesize

                        280KB

                        Download

                      • memory/1672-140-0x00000000054D0000-0x0000000005AE8000-memory.dmp

                        Filesize

                        6.1MB

                        Download

                      • memory/1672-141-0x0000000004FC0000-0x00000000050CA000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/1672-142-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/1672-143-0x0000000004EF0000-0x0000000004F00000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1672-144-0x0000000004F00000-0x0000000004F3C000-memory.dmp

                        Filesize

                        240KB

                        Download

                      • memory/1672-145-0x0000000005420000-0x0000000005440000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1672-146-0x0000000005D90000-0x0000000005E22000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/1672-147-0x00000000063E0000-0x0000000006984000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/1672-151-0x0000000005EF0000-0x0000000005F40000-memory.dmp

                        Filesize

                        320KB

                        Download

                      • memory/1672-150-0x0000000006050000-0x00000000060C6000-memory.dmp

                        Filesize

                        472KB

                        Download

                      • memory/3672-134-0x0000026A66880000-0x0000026A668F6000-memory.dmp

                        Filesize

                        472KB

                        Download

                      • memory/3672-135-0x0000026A4D520000-0x0000026A4D53E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/3672-133-0x0000026A4B670000-0x0000026A4B9DC000-memory.dmp

                        Filesize

                        3.4MB

                        Download

                      • memory/3672-136-0x0000026A4D550000-0x0000026A4D560000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3672-137-0x0000026A66B90000-0x0000026A66C92000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/4308-158-0x0000021D290D0000-0x0000021D290D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4308-160-0x0000021D290D0000-0x0000021D290D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4308-153-0x0000021D290D0000-0x0000021D290D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4308-161-0x0000021D290D0000-0x0000021D290D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4308-162-0x0000021D290D0000-0x0000021D290D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4308-163-0x0000021D290D0000-0x0000021D290D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4308-164-0x0000021D290D0000-0x0000021D290D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4308-154-0x0000021D290D0000-0x0000021D290D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4308-159-0x0000021D290D0000-0x0000021D290D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4308-152-0x0000021D290D0000-0x0000021D290D1000-memory.dmp

                        Filesize

                        4KB

                        Download