Analysis
-
max time kernel
81s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
29-06-2024 04:22
General
-
Target
BrightVPN-Setup-1.422.634-fb2e56b7_pass123.rar
-
Size
1.6MB
-
MD5
5463655fb82c3271f41acf756fe82577
-
SHA1
4c64f4fcf1f64ac3aa4086cbccf0fdc5de0854a6
-
SHA256
77436bfe8498d733a09f07608054731d5f7ddb28e56ea7166c89fbae134fe334
-
SHA512
510316f97aee0d814aeae12fd9bfb0a484c0146ba0d4cdc6988c8a014664026ed3c41794ddbadb736fcc96fe8e83cea514ea6e1a9ce12d9848186771b8a98827
-
SSDEEP
24576:530ImfpJElqcPs3JQ8yRHAMF8Nyq0HQoiYYEPNpPkpIaGD8e71krJOqAMBDgzuis:RpmfpiZs3RwgMgyqOMYPUpIbJMcu/
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 17 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.634-fb2e56b7_pass123.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.634-fb2e56b7_pass123.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO4AB4AAC7\BrightVPN-Setup-1.422.634-fb2e56b7.exe"C:\Users\Admin\AppData\Local\Temp\7zO4AB4AAC7\BrightVPN-Setup-1.422.634-fb2e56b7.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VPN.exe"C:\Users\Admin\AppData\Local\Temp\VPN.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.631-fb2e56b2.exe"C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.631-fb2e56b2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\brightvpn_installer.exe"C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\brightvpn_installer.exe" /pid=1856 /port=6451 /affiliate= /silent= /exe="C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.631-fb2e56b2.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zO4AB4AAC7\BrightVPN-Setup-1.422.634-fb2e56b7.exeFilesize
1.8MB
MD51ca12c1ddbbc4547fef82491c23913f4
SHA1e2e057825a10e8ba97c0185f7c01da6b449f7023
SHA2562b1b91075512986f811a419c62fe115d5cc8880d8126b9f94386861f82b2c995
SHA512476a0404a1a70dd99bc4f15432c653d6734cf67f7fda8282010791430c0cc9e496f68a1b29089fbc772a6dc22cb3c63b1cf09d0a9dd9bd5edca34a051c789d81
-
C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.631-fb2e56b2.exeFilesize
1.6MB
MD5675aa8befa9d517cc6264816d946ec73
SHA125ad029e425ffee5a38f10b5177a6d348dffcf6b
SHA256729f18179dce4ff60566c140a2eb57c1ff8675c16ec8d16bc101b579825c2489
SHA51242861d22b4218c792c64f8fd7b91399d8f10d4ca5dfbeba8b9fedc06e90611cddc79df15bd1735ca1bff62df32015745e72e9c6ff7dd4d1e9f4b7983708d4fc5
-
C:\Users\Admin\AppData\Local\Temp\VPN.exeFilesize
426KB
MD526e59e7cf9436beec765505fdd4e0d46
SHA12e1e68a4dd9204d984d7e38ad7d39a903a9325ff
SHA256e46a9e520de05d8eb717d49e9f3b9581692ec2690a5413f677aa8da435483284
SHA51299e7acd86a277b60bb266729ce6062fdbc72c96382c012ba8576b246c79b36df0ac4d5615ca77b4fb1593d3bceffc788895bd3cb7d0a41c51829d55a0cca5c1e
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\INetC.dllFilesize
238KB
MD538caa11a462b16538e0a3daeb2fc0eaf
SHA1c22a190b83f4b6dc0d6a44b98eac1a89a78de55c
SHA256ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a
SHA512777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\SpiderBanner.dllFilesize
9KB
MD517309e33b596ba3a5693b4d3e85cf8d7
SHA17d361836cf53df42021c7f2b148aec9458818c01
SHA256996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA5121abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\StdUtils.dllFilesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\System.dllFilesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\brightvpn_installer.exeFilesize
2.1MB
MD5ead86124e599168b695d0a189c59a09d
SHA19156448ac0e2dd8b9d2d893e581b5082678ca620
SHA256f182bb57ce37e30e532bba3114c7c96b79ae5e94872c2c05822c57d1258ac208
SHA51244fe37d8270bc2c69653aed999b563df9d4e8e099b08e126770ae3517e3ffeb4cf3cdc0568b9bc98b25e67f3b44e5393c7ef4b632fb5149c287110cde8d65246
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\nsProcess.dllFilesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
memory/224-67-0x00000000075C0000-0x00000000075CE000-memory.dmpFilesize
56KB
-
memory/224-66-0x00000000075E0000-0x0000000007618000-memory.dmpFilesize
224KB
-
memory/224-65-0x0000000007D50000-0x0000000007D58000-memory.dmpFilesize
32KB
-
memory/224-64-0x0000000005C20000-0x0000000005C42000-memory.dmpFilesize
136KB
-
memory/224-63-0x00000000007B0000-0x00000000009C6000-memory.dmpFilesize
2.1MB
-
memory/4824-49-0x0000000000EF0000-0x0000000000F60000-memory.dmpFilesize
448KB
-
memory/4824-58-0x0000000008CF0000-0x0000000008D3C000-memory.dmpFilesize
304KB
-
memory/4824-57-0x0000000008B80000-0x0000000008BBC000-memory.dmpFilesize
240KB
-
memory/4824-56-0x0000000008B20000-0x0000000008B32000-memory.dmpFilesize
72KB
-
memory/4824-55-0x0000000008BE0000-0x0000000008CEA000-memory.dmpFilesize
1.0MB
-
memory/4824-54-0x00000000090A0000-0x00000000096B8000-memory.dmpFilesize
6.1MB
-
memory/4824-53-0x0000000005B60000-0x0000000005B6A000-memory.dmpFilesize
40KB
-
memory/4824-52-0x00000000059D0000-0x0000000005A62000-memory.dmpFilesize
584KB
-
memory/4824-51-0x0000000005EE0000-0x0000000006484000-memory.dmpFilesize
5.6MB
-
memory/4824-50-0x0000000003320000-0x0000000003340000-memory.dmpFilesize
128KB