Malicious Inno Setup Loader Deploys RedLine Stealer

MITRE Techniques

• [T1622] Debugger Evasion – The malicious Pascal script uses XOR encryption and WMI queries to detect and terminate if malware analysis tools are present (“Select * From Win32_Process where Name=”).
• [T1497] Sandbox Evasion – Checks file name patterns and system info via WMI to avoid triggering in sandbox environments.
• [T1071.001] Web Protocols – Uses TinyURL shortened links and authenticated requests with custom headers (rentry-auth) to retrieve next-stage payloads.
• [T1027.015] Compression – Employs renamed 7za.exe (idp.exe) to extract encrypted and password-protected payload archives.
• [T1053] Scheduled Task/Job – Creates hidden scheduled tasks that execute the malware on system reboot for persistence.
• [T1574.001] Hijack Execution Flow: DLL Sideloading – Loads trojanized DLLs (QtGuid4.dll) via legitimate executables to decrypt and execute shellcode.
• [T1027] Obfuscated Files or Information – Conceals modular loader components inside manipulated PNG-like files using XOR decryption and compression.
• [T1127.001] MSBuild – Injects decrypted final payload into MSBuild.exe process to obscure execution.
• [T1027.010] Command Obfuscation – Uses constant unfolding obfuscation to dynamically build parameters and evade static detection.
• [T1497] Browser Sandbox Evasion – Launches Chrome with –no-sandbox and –user-data-dir flags to evade browser security sandboxing.
• [T1562.001] Disable or Modify Tools – Runs Internet Explorer with -extoff flag to disable extensions and security addons during malicious activity.
• [T1047] Windows Management Instrumentation – Uses WMI queries to gather detailed system info for profiling and evasion.
• [T1555.003] Credentials from Web Browsers – Targets browser stored credentials and cryptocurrency wallet extensions to steal data.