Analysis
-
max time kernel
141s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 03:47
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240226-en
General
-
Target
Setup.exe
-
Size
777KB
-
MD5
609dc8041c85d08ca88532beda64010b
-
SHA1
a3f016ce71a6e39529f3e270f70baa4aa5a4d66a
-
SHA256
5eddb42cd21a88637770326bea9ae489ea4b1e3076adf38e1f1021a2deacf194
-
SHA512
e8ba403f37d5f3b59e8f6ee54665c9c7dc6c1732cfe0c5c18d4c5049b760a4bac58b10a2f4dc84ba7e40f04548222cd72eb390df7356af9152dbcb0960adb984
-
SSDEEP
12288:arOHiaskkwFRa+BbM68oXwKo4UBI6ataVOVnjsuXhdKwa3Kj5jtG96L/315HxUJx:bCpkkUhlAKoBJ7j
Malware Config
Extracted
redline
5664290451
https://pastebin.com/raw/NgsUAPya
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1904-9-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Loads dropped DLL 1 IoCs
pid Process 4076 Setup.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 pastebin.com 20 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4076 set thread context of 1904 4076 Setup.exe 92 -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe 1904 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1904 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4076 wrote to memory of 1904 4076 Setup.exe 92 PID 4076 wrote to memory of 1904 4076 Setup.exe 92 PID 4076 wrote to memory of 1904 4076 Setup.exe 92 PID 4076 wrote to memory of 1904 4076 Setup.exe 92 PID 4076 wrote to memory of 1904 4076 Setup.exe 92 PID 4076 wrote to memory of 1904 4076 Setup.exe 92 PID 4076 wrote to memory of 1904 4076 Setup.exe 92 PID 4076 wrote to memory of 1904 4076 Setup.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5f9518ffe8440bb06e5cefa90d928aed8
SHA1364b74d3f1f4d967a95e066c695209e6deb0d1b2
SHA256dda11b2d41246c39473f2266df03399d9fd9c68be8f84a601a5ba3cf4b51d305
SHA5125e15d08887d223f3c6acc1711a7030306438d297402c79848a3588d40bb88b816cf5a735be043dcff328219ac3d3c4141364ffa7b790201e97f3fdf7f24bcd79