Analysis
-
max time kernel
4s -
max time network
7s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 03:47
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240226-en
General
-
Target
Setup.exe
-
Size
777KB
-
MD5
609dc8041c85d08ca88532beda64010b
-
SHA1
a3f016ce71a6e39529f3e270f70baa4aa5a4d66a
-
SHA256
5eddb42cd21a88637770326bea9ae489ea4b1e3076adf38e1f1021a2deacf194
-
SHA512
e8ba403f37d5f3b59e8f6ee54665c9c7dc6c1732cfe0c5c18d4c5049b760a4bac58b10a2f4dc84ba7e40f04548222cd72eb390df7356af9152dbcb0960adb984
-
SSDEEP
12288:arOHiaskkwFRa+BbM68oXwKo4UBI6ataVOVnjsuXhdKwa3Kj5jtG96L/315HxUJx:bCpkkUhlAKoBJ7j
Malware Config
Extracted
redline
5664290451
https://pastebin.com/raw/NgsUAPya
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2964-14-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2964-11-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2964-10-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2964-19-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2964-17-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Loads dropped DLL 1 IoCs
pid Process 1932 Setup.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 3 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1932 set thread context of 2964 1932 Setup.exe 29 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2964 MSBuild.exe 2964 MSBuild.exe 2964 MSBuild.exe 2964 MSBuild.exe 2964 MSBuild.exe 2964 MSBuild.exe 2964 MSBuild.exe 2964 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2964 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2964 1932 Setup.exe 29 PID 1932 wrote to memory of 2964 1932 Setup.exe 29 PID 1932 wrote to memory of 2964 1932 Setup.exe 29 PID 1932 wrote to memory of 2964 1932 Setup.exe 29 PID 1932 wrote to memory of 2964 1932 Setup.exe 29 PID 1932 wrote to memory of 2964 1932 Setup.exe 29 PID 1932 wrote to memory of 2964 1932 Setup.exe 29 PID 1932 wrote to memory of 2964 1932 Setup.exe 29 PID 1932 wrote to memory of 2964 1932 Setup.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5f9518ffe8440bb06e5cefa90d928aed8
SHA1364b74d3f1f4d967a95e066c695209e6deb0d1b2
SHA256dda11b2d41246c39473f2266df03399d9fd9c68be8f84a601a5ba3cf4b51d305
SHA5125e15d08887d223f3c6acc1711a7030306438d297402c79848a3588d40bb88b816cf5a735be043dcff328219ac3d3c4141364ffa7b790201e97f3fdf7f24bcd79