Overview
overview
10Static
static
3github.sof....8.zip
windows10-1703-x64
1Setup_latest.exe
windows10-1703-x64
10$PLUGINSDIR/INetC.dll
windows10-1703-x64
3$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3$PLUGINSDIR/UAC.dll
windows10-1703-x64
3$PLUGINSDI...ll.dll
windows10-1703-x64
3$PLUGINSDI...gs.dll
windows10-1703-x64
3$PLUGINSDI...ec.dll
windows10-1703-x64
3$PLUGINSDI...7z.dll
windows10-1703-x64
3$R0/Uninst...en.exe
windows10-1703-x64
4Analysis
-
max time kernel
185s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
02-07-2024 00:15
Static task
static1
Behavioral task
behavioral1
Sample
github.software.1.2.8.zip
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
Setup_latest.exe
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
$R0/Uninstall Bitwarden.exe
Resource
win10-20240404-en
General
-
Target
Setup_latest.exe
-
Size
1.4MB
-
MD5
eb48500860ece87bc7a169118c929fb3
-
SHA1
bb20b2598d5ac31d36717f316fc733c4f8df9a9c
-
SHA256
b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4
-
SHA512
d595378bdc733b17697a5aa075e78082e863189255594f6c805380e745ea0bd66631bd3d58289f5c4b051c5073b61fe1ad70953ef84d305397b6ecf296789c9c
-
SSDEEP
24576:ZxgPnpq2yAY1szLSvJwv4ahekPxMB7Du173pG1szLSvJwv4a:EnpNyA9qvCvHOBK73pfqvCv
Malware Config
Extracted
redline
red
147.45.44.12:13830
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/900-4-0x0000000004E20000-0x0000000004E70000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Setup_latest.exepid process 900 Setup_latest.exe 900 Setup_latest.exe 900 Setup_latest.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Setup_latest.exedescription pid process Token: SeDebugPrivilege 900 Setup_latest.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-0-0x00000000022C0000-0x0000000002310000-memory.dmpFilesize
320KB
-
memory/900-2-0x00000000022C0000-0x0000000002310000-memory.dmpFilesize
320KB
-
memory/900-3-0x000000007351E000-0x000000007351F000-memory.dmpFilesize
4KB
-
memory/900-4-0x0000000004E20000-0x0000000004E70000-memory.dmpFilesize
320KB
-
memory/900-5-0x0000000073510000-0x0000000073BFE000-memory.dmpFilesize
6.9MB
-
memory/900-6-0x0000000005020000-0x000000000551E000-memory.dmpFilesize
5.0MB
-
memory/900-7-0x0000000073510000-0x0000000073BFE000-memory.dmpFilesize
6.9MB
-
memory/900-8-0x0000000073510000-0x0000000073BFE000-memory.dmpFilesize
6.9MB
-
memory/900-9-0x0000000004ED0000-0x0000000004F62000-memory.dmpFilesize
584KB
-
memory/900-10-0x0000000073510000-0x0000000073BFE000-memory.dmpFilesize
6.9MB
-
memory/900-11-0x0000000004FB0000-0x0000000004FBA000-memory.dmpFilesize
40KB
-
memory/900-12-0x0000000005520000-0x0000000005B26000-memory.dmpFilesize
6.0MB
-
memory/900-13-0x0000000005BA0000-0x0000000005CAA000-memory.dmpFilesize
1.0MB
-
memory/900-14-0x0000000005CD0000-0x0000000005CE2000-memory.dmpFilesize
72KB
-
memory/900-15-0x0000000005CF0000-0x0000000005D2E000-memory.dmpFilesize
248KB
-
memory/900-16-0x0000000005D60000-0x0000000005DAB000-memory.dmpFilesize
300KB
-
memory/900-17-0x0000000005FD0000-0x0000000006036000-memory.dmpFilesize
408KB
-
memory/900-18-0x0000000006450000-0x00000000064A0000-memory.dmpFilesize
320KB
-
memory/900-19-0x00000000064F0000-0x00000000066B2000-memory.dmpFilesize
1.8MB
-
memory/900-20-0x00000000066C0000-0x0000000006BEC000-memory.dmpFilesize
5.2MB
-
memory/900-22-0x00000000022C0000-0x0000000002310000-memory.dmpFilesize
320KB
-
memory/900-24-0x0000000073510000-0x0000000073BFE000-memory.dmpFilesize
6.9MB