Overview

overview

10

Static

static

1

InstallerE...6s.exe

windows10-2004-x64

10

Resubmissions

13-06-2023 07:00

230613-hs3zbafg3w 10

13-06-2023 06:39

230613-heq3lafg2t 10

13-06-2023 03:28

230613-d1sq4aee98 10

13-06-2023 03:07

230613-dmpghsfb3z 10

Analysis

  • max time kernel
    143s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2023 03:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    InstallerExpress_v3v.0u.6s/InstallerExpress_v3v.0u.6s.exe

  • Size

    693.0MB

  • MD5

    fb757b3c077ec1976a8079ca0925e330

  • SHA1

    a8a3c03094572e007b867b5bb9c26acfb182c509

  • SHA256

    f2c3ec6f9869bb611d264d0a4a0dd0ba68b84d17672f07db44e90254b429a667

  • SHA512

    6fe3c5aebf1e576215ebd283f967aa35d73339df82c8d06e54fcee6fd33dc4d98408d3916c1a683a71b41a4d2dfe54d18883538bd3f7933d857b72e7dd911502

  • SSDEEP

    1572864:NphKtrquc1CVrmamaH0Zxz6RILY6/noAuKFiAC2J2:Npg+Z0VTmVxz1d/noAB72

Score
10/10
redline@hendrolasinfostealer

Malware Config

Extracted

Family

redline

Botnet

@hendrolas

C2

94.142.138.4:80

Attributes
  • auth_value

    71d16d25eddbb4fd3b98070432f1a757

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\InstallerExpress_v3v.0u.6s\InstallerExpress_v3v.0u.6s.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallerExpress_v3v.0u.6s\InstallerExpress_v3v.0u.6s.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\Installer-Expert_v7g.1.7b\Installer-Expert_v7g.1.7b.exe
      "C:\Users\Admin\AppData\Local\Temp\Installer-Expert_v7g.1.7b\Installer-Expert_v7g.1.7b.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3236
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
          4⤵
            PID:1736
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
            4⤵
              PID:3848

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Installer-Expert_v7g.1.7b\Installer-Expert_v7g.1.7b.exe
        Filesize

        761.8MB

        MD5

        469b4eb3d9e71ace8bc01d46fe8ec6f3

        SHA1

        489aa9ab8aa9a3f20eacdd418c9c91c1326edac4

        SHA256

        0cd926d1bd253876141aa8aa3bf9e97755512d812edad22995525fd3447e8562

        SHA512

        207aebf104491d1ccc63f490d07c2f5fe70cdb6161f26c8d7b3ada9e9a0752c957f6c174ee076fa5a552bc51df9d958188784f209a903ac9855df6c84fe9855c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Installer-Expert_v7g.1.7b\Installer-Expert_v7g.1.7b.exe
        Filesize

        761.8MB

        MD5

        469b4eb3d9e71ace8bc01d46fe8ec6f3

        SHA1

        489aa9ab8aa9a3f20eacdd418c9c91c1326edac4

        SHA256

        0cd926d1bd253876141aa8aa3bf9e97755512d812edad22995525fd3447e8562

        SHA512

        207aebf104491d1ccc63f490d07c2f5fe70cdb6161f26c8d7b3ada9e9a0752c957f6c174ee076fa5a552bc51df9d958188784f209a903ac9855df6c84fe9855c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwkbn3fx.liu.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/440-138-0x0000000000970000-0x0000000001970000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/440-139-0x0000000035350000-0x00000000358F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/440-140-0x0000000034DA0000-0x0000000034E32000-memory.dmp

        Filesize

        584KB

        Download

      • memory/440-141-0x0000000034F90000-0x0000000034FA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/440-142-0x0000000034C40000-0x0000000034C4A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/440-173-0x0000000034F90000-0x0000000034FA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-160-0x0000000006F70000-0x0000000006FB4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/3236-164-0x0000000007D50000-0x0000000007D6A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3236-145-0x00000000059E0000-0x0000000005A02000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3236-152-0x0000000005CF0000-0x0000000005D56000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3236-153-0x0000000003260000-0x0000000003270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-154-0x0000000003260000-0x0000000003270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-159-0x00000000069C0000-0x00000000069DE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3236-144-0x0000000005E10000-0x0000000006438000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3236-161-0x0000000007CB0000-0x0000000007D26000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3236-162-0x0000000003260000-0x0000000003270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-163-0x00000000083B0000-0x0000000008A2A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3236-146-0x0000000005B80000-0x0000000005BE6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3236-165-0x0000000003260000-0x0000000003270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-166-0x0000000008B20000-0x0000000008B42000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3236-176-0x0000000003260000-0x0000000003270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-174-0x0000000003260000-0x0000000003270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-175-0x0000000003260000-0x0000000003270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-143-0x0000000003050000-0x0000000003086000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3848-171-0x000000001F1D0000-0x000000001F20C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3848-172-0x0000000017490000-0x00000000174A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3848-170-0x000000001F0B0000-0x000000001F0C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3848-169-0x000000001EEA0000-0x000000001EFAA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3848-168-0x000000001D510000-0x000000001DB28000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3848-167-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download