redline | 51b4ab44329a6efe2d4a23d5c4664da236fe08b12728d181c909feddf19eb2dc

Analysis

max time kernel
78s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlenderSetup-3.5.0-win-x64.exe
Size

637.6MB
MD5

443cc79e21eea02b0731b09aa0c58987
SHA1

976078d978f3dc0e5b8476923531aecf3485c078
SHA256

9f00eac23eaa3f569d4320235c814c1abc3a80997acbb537bed2fdb5ffba08e8
SHA512

2d6aa8e8cc46e1fe51c89eb919f5973459e4a0f1b1cf3cdbf5701e2057fd5d8533325e65efde8f2b263df2f7cf414b27680b5c13aa68919ff2e889ba4d3ec714
SSDEEP

1572864:Hcljj7Hs6Hjo0pQI/ALJXuHo9YDvA2zA10srNqr+en3R5yUJsU:H8jjbs6Hj9X/ALJoo9oA21mNi33TL

Score

10^/10

redline infostealer

Malware Config

Extracted

Family

redline

5.42.64.63:19123

Attributes

auth_value
2e251a8604620b6ba76520586114b84e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Blocklisted process makes network request 1 IoCs

flow	pid	Process
34	1152	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5096	SetupFileApp_v6.0.9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs

pid	Process
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 3488	1152	powershell.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
1152	powershell.exe
1152	powershell.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
1152	powershell.exe
1152	powershell.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe
5096	SetupFileApp_v6.0.9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	SetupFileApp_v6.0.9.exe
Token: SeDebugPrivilege	1152	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 5096	4012	BlenderSetup-3.5.0-win-x64.exe	91
PID 4012 wrote to memory of 5096	4012	BlenderSetup-3.5.0-win-x64.exe	91
PID 4012 wrote to memory of 5096	4012	BlenderSetup-3.5.0-win-x64.exe	91
PID 5096 wrote to memory of 1152	5096	SetupFileApp_v6.0.9.exe	92
PID 5096 wrote to memory of 1152	5096	SetupFileApp_v6.0.9.exe	92
PID 5096 wrote to memory of 1152	5096	SetupFileApp_v6.0.9.exe	92
PID 1152 wrote to memory of 3488	1152	powershell.exe	94
PID 1152 wrote to memory of 3488	1152	powershell.exe	94
PID 1152 wrote to memory of 3488	1152	powershell.exe	94
PID 1152 wrote to memory of 3488	1152	powershell.exe	94
PID 1152 wrote to memory of 3488	1152	powershell.exe	94
PID 1152 wrote to memory of 3488	1152	powershell.exe	94
PID 1152 wrote to memory of 3488	1152	powershell.exe	94
PID 1152 wrote to memory of 3488	1152	powershell.exe	94

C:\Users\Admin\AppData\Local\Temp\BlenderSetup-3.5.0-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\BlenderSetup-3.5.0-win-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Users\Admin\AppData\Local\Temp\SetupFileApp_v6.0.9\SetupFileApp_v6.0.9.exe
  "C:\Users\Admin\AppData\Local\Temp\SetupFileApp_v6.0.9\SetupFileApp_v6.0.9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
      4⤵
      PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SetupFileApp_v6.0.9\SetupFileApp_v6.0.9.exe

Filesize
901.5MB

MD5
f11ceee3693f32b6284811777fb4d66b

SHA1
7880d48509ed465c21e8e7602cb0a081f6c6d345

SHA256
986010af6d0d5abff9e07a9e59854b5fe6efc4d0bb1da186a164fc344ad4b24a

SHA512
5d9c0dbb35dea7c07658890deebfd1fc5332bac7512855dc456872614c6626098e90d44c07193d3e91ba6337d44e143ae5762aa576a8cbc68a1a49be2f5178fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupFileApp_v6.0.9\SetupFileApp_v6.0.9.exe

Filesize
911.5MB

MD5
61e74f9f89794e25794cfb225b433c44

SHA1
a3ee9225f8a4744edb4677c44a9f8dd9bb10b850

SHA256
1d0491bd21dfbbcfe19dbe49d5afae5271d04998f9c1e9c5153ec32e731dec38

SHA512
5dd098b512cb0c1b86e87e958a3603f48b165cb3da6735643f56b1ad4309acbaefde6f68b466f448fb8d595515c7a32bbae23e0bebb278aa4498aaa88bc657a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdpaymui.qv2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1152-162-0x0000000007970000-0x00000000079E6000-memory.dmp

Filesize
472KB

Download
memory/1152-169-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1152-178-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1152-163-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/1152-171-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1152-144-0x0000000002D10000-0x0000000002D46000-memory.dmp

Filesize
216KB

Download
memory/1152-145-0x0000000005880000-0x0000000005EA8000-memory.dmp

Filesize
6.2MB

Download
memory/1152-146-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/1152-147-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/1152-153-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1152-168-0x0000000007D50000-0x0000000007D72000-memory.dmp

Filesize
136KB

Download
memory/1152-154-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1152-159-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/1152-160-0x0000000006BD0000-0x0000000006C14000-memory.dmp

Filesize
272KB

Download
memory/1152-161-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1152-166-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1152-167-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1152-164-0x00000000079F0000-0x0000000007A0A000-memory.dmp

Filesize
104KB

Download
memory/3488-173-0x0000000018860000-0x0000000018E78000-memory.dmp

Filesize
6.1MB

Download
memory/3488-175-0x00000000182D0000-0x00000000182E2000-memory.dmp

Filesize
72KB

Download
memory/3488-183-0x000000001A3E0000-0x000000001A90C000-memory.dmp

Filesize
5.2MB

Download
memory/3488-182-0x0000000019CE0000-0x0000000019EA2000-memory.dmp

Filesize
1.8MB

Download
memory/3488-179-0x0000000018640000-0x0000000018650000-memory.dmp

Filesize
64KB

Download
memory/3488-177-0x0000000018330000-0x000000001836C000-memory.dmp

Filesize
240KB

Download
memory/3488-172-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3488-176-0x0000000018640000-0x0000000018650000-memory.dmp

Filesize
64KB

Download
memory/3488-174-0x00000000183A0000-0x00000000184AA000-memory.dmp

Filesize
1.0MB

Download
memory/5096-139-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/5096-142-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/5096-143-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/5096-141-0x0000000005420000-0x0000000005442000-memory.dmp

Filesize
136KB

Download
memory/5096-140-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/5096-165-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/5096-138-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download