Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 10:48
General
-
Target
SetupPro_R1.exe
-
Size
1.1MB
-
MD5
ab619a2ccbab2c5f3df2f6e53a47b224
-
SHA1
45e1aa1cacf636cf75ca9ec5d06cc77e87019c40
-
SHA256
fc6ded4effe32e8e5a392ddc9e73b54c11bed343d7981daa3393c3bffe058abc
-
SHA512
fab90bdc1cf52288c81384b1eec7d544b3d472ce6fa0c899076f93ef00e8f06b03d296cb380f3839d02d5f01a9a4ba5440dafc4632dfbac32c8ae21e1c13c5a8
-
SSDEEP
24576:siaaWD24cuYYbT9tfc1NaQH1NR9d07FE5z5ONAWBPttJVi0jh78H4D:slaWFB7nT2N3rREFEgftJVj/
Malware Config
Extracted
redline
11
vigasiergu.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Sectoprat family
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SetupPro_R1.exe"C:\Users\Admin\AppData\Local\Temp\SetupPro_R1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Avvelenate.wma2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^xrqXljTjFhhIpucDBfVEqglRCfJobNSJnrzZDScrcRxBpUDsUEHGEiXyTocUCLPScElyMvqJTSopUIHILshTyktsyguxbBAKeCuFJbEbEYNMYOklBMplbVMpmTZndGkasnisCeYhNQginaaseVT$" Lume.wma4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Giudichera.exe.comGiudichera.exe.com I4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Giudichera.exe.comC:\Users\Admin\AppData\Roaming\Giudichera.exe.com I5⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeC:\Users\Admin\AppData\Roaming\RegAsm.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD509c2e27c626d6f33018b8a34d3d98cb6
SHA18d6bf50218c8f201f06ecf98ca73b74752a2e453
SHA256114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1
SHA512883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954
-
Filesize
572B
MD591489f7cb5199fe13219aa9b7a7e723c
SHA1482ffe2c6b6f36c3d66fc7dbf68e132f9af97540
SHA256b642e6edbb72668712e16d1ff91c84345ac66c06cea4a3c7b1eee0efc429966c
SHA512ec82cc5c259d8a6a6c27bf25891c38e3f0931801fcb68d9755a5c0a8200ca05d8c2b7edee11df92550763f207984486993eccf4365b70eeabe4283a4909417f7
-
Filesize
1.2MB
MD5dc0c8bcd6acf846ed6e6d2883d7ffde2
SHA1b522eb73890c76df3c3950523193e0b8c7be8486
SHA25633cc49151629e72790bab5e8c9949fd81d34d1d9933521f36facae6eb6ad44a9
SHA51280e563fde5e206029af0fc0c5701c99310bcc68e092cecb3b7a6db8b229cee7adac2e31223aa0e0baa47077aa7f39ba216accf843db908f53744a2bb9fda03b5
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD547f4ed3206fed19d16fa86590e570dfc
SHA1fba632fd00bd68c048b5c7114da181d55023d779
SHA256d54a87064504a8ba9555abd8623ac1c86dea26715e4f767e12f5231d23d791b9
SHA5122107e6f7a47687f3c137d9e869f76275df2bbe4cf33b205c818272f5243f1be383d97d952cff9a17fef778fac23da73026ed627ab01dc1e0dd13a4149b53bca3
-
Filesize
116KB
MD5ff88598a19bb1fc42bec363bb6860395
SHA1c25dbcbf9ba61950a6014022430c976b4105dd02
SHA256e6c8db998308ecd2379e4e102c88cdc1eeb4cc0dc499e77ae281ee24d93c39f7
SHA512530d2262ec0f8800760f826321f5b60c6e56244ca9f0b4e3eee709b9a410c09b85c177b71161ecc80f356b045a2a1bc4cd964a485e9cf50f9761ccbf0aac2a47
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
136KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
304KB