Overview

overview

10

Static

static

3

SetupPro_R1.exe

windows7-x64

10

SetupPro_R1.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SetupPro_R1.exe

  • Size

    1.1MB

  • MD5

    ab619a2ccbab2c5f3df2f6e53a47b224

  • SHA1

    45e1aa1cacf636cf75ca9ec5d06cc77e87019c40

  • SHA256

    fc6ded4effe32e8e5a392ddc9e73b54c11bed343d7981daa3393c3bffe058abc

  • SHA512

    fab90bdc1cf52288c81384b1eec7d544b3d472ce6fa0c899076f93ef00e8f06b03d296cb380f3839d02d5f01a9a4ba5440dafc4632dfbac32c8ae21e1c13c5a8

  • SSDEEP

    24576:siaaWD24cuYYbT9tfc1NaQH1NR9d07FE5z5ONAWBPttJVi0jh78H4D:slaWFB7nT2N3rREFEgftJVj/

Score
10/10
redlinesectoprat11discoveryinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

11

C2

vigasiergu.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Sectoprat family
    sectoprat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SetupPro_R1.exe
    "C:\Users\Admin\AppData\Local\Temp\SetupPro_R1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c cmd < Avvelenate.wma
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^xrqXljTjFhhIpucDBfVEqglRCfJobNSJnrzZDScrcRxBpUDsUEHGEiXyTocUCLPScElyMvqJTSopUIHILshTyktsyguxbBAKeCuFJbEbEYNMYOklBMplbVMpmTZndGkasnisCeYhNQginaaseVT$" Lume.wma
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2520
        • C:\Users\Admin\AppData\Roaming\Giudichera.exe.com
          Giudichera.exe.com I
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Users\Admin\AppData\Roaming\Giudichera.exe.com
            C:\Users\Admin\AppData\Roaming\Giudichera.exe.com I
            5⤵
            • Deletes itself
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Users\Admin\AppData\Roaming\RegAsm.exe
              C:\Users\Admin\AppData\Roaming\RegAsm.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2796
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Avvelenate.wma
    Filesize

    572B

    MD5

    91489f7cb5199fe13219aa9b7a7e723c

    SHA1

    482ffe2c6b6f36c3d66fc7dbf68e132f9af97540

    SHA256

    b642e6edbb72668712e16d1ff91c84345ac66c06cea4a3c7b1eee0efc429966c

    SHA512

    ec82cc5c259d8a6a6c27bf25891c38e3f0931801fcb68d9755a5c0a8200ca05d8c2b7edee11df92550763f207984486993eccf4365b70eeabe4283a4909417f7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Dolcemente.wma
    Filesize

    1.2MB

    MD5

    dc0c8bcd6acf846ed6e6d2883d7ffde2

    SHA1

    b522eb73890c76df3c3950523193e0b8c7be8486

    SHA256

    33cc49151629e72790bab5e8c9949fd81d34d1d9933521f36facae6eb6ad44a9

    SHA512

    80e563fde5e206029af0fc0c5701c99310bcc68e092cecb3b7a6db8b229cee7adac2e31223aa0e0baa47077aa7f39ba216accf843db908f53744a2bb9fda03b5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Lume.wma
    Filesize

    872KB

    MD5

    47f4ed3206fed19d16fa86590e570dfc

    SHA1

    fba632fd00bd68c048b5c7114da181d55023d779

    SHA256

    d54a87064504a8ba9555abd8623ac1c86dea26715e4f767e12f5231d23d791b9

    SHA512

    2107e6f7a47687f3c137d9e869f76275df2bbe4cf33b205c818272f5243f1be383d97d952cff9a17fef778fac23da73026ed627ab01dc1e0dd13a4149b53bca3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mantenere.wma
    Filesize

    116KB

    MD5

    ff88598a19bb1fc42bec363bb6860395

    SHA1

    c25dbcbf9ba61950a6014022430c976b4105dd02

    SHA256

    e6c8db998308ecd2379e4e102c88cdc1eeb4cc0dc499e77ae281ee24d93c39f7

    SHA512

    530d2262ec0f8800760f826321f5b60c6e56244ca9f0b4e3eee709b9a410c09b85c177b71161ecc80f356b045a2a1bc4cd964a485e9cf50f9761ccbf0aac2a47

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso94E1.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    09c2e27c626d6f33018b8a34d3d98cb6

    SHA1

    8d6bf50218c8f201f06ecf98ca73b74752a2e453

    SHA256

    114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

    SHA512

    883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

    Download Submit

  • \Users\Admin\AppData\Roaming\Giudichera.exe.com
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • \Users\Admin\AppData\Roaming\RegAsm.exe
    Filesize

    63KB

    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit

  • memory/2796-30-0x0000000000090000-0x00000000000B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2796-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2796-32-0x0000000000090000-0x00000000000B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2796-36-0x0000000000090000-0x00000000000B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2796-35-0x0000000000090000-0x00000000000B2000-memory.dmp

    Filesize

    136KB

    Download