Analysis
-
max time kernel
57s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-09-2022 18:00
Behavioral task
behavioral1
Sample
WhatsApp/WhatsApp.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
WhatsApp/WhatsApp.exe
Resource
win10v2004-20220812-en
General
-
Target
WhatsApp/WhatsApp.exe
-
Size
700.0MB
-
MD5
76e4e31dd3e40ac6790c83fa48419a55
-
SHA1
f42363c9ca8325a47efd4f01f177702433d78ff8
-
SHA256
661d2ed323c8703a7466774162972254589be4ab04abd6067d70ab44bc70d978
-
SHA512
78ae771f67d5c1c66d2e8ffc1f3dd398b6cd87c6ee813e6108e0f0c8cdfb8cd656c82d3ec4fff7b9d9f84c31e0cfd00b613150bb6eb22ad942c00a5aed379b8e
-
SSDEEP
98304:NCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJP:N2qM+idivVNKbZfREVtc0PJP
Malware Config
Extracted
redline
ws-19
38.91.100.57:32750
-
auth_value
b8974207e31b05e60d39e04eba8eeb0b
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1152-65-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1152-66-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1152-67-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1152-68-0x0000000000422116-mapping.dmp family_redline behavioral1/memory/1152-70-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1152-72-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1972-54-0x00000000009C0000-0x0000000000DB6000-memory.dmp agile_net -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
WhatsApp.exedescription pid process target process PID 1972 set thread context of 1152 1972 WhatsApp.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeWhatsApp.exeInstallUtil.exepid process 1760 powershell.exe 1972 WhatsApp.exe 1972 WhatsApp.exe 1152 InstallUtil.exe 1152 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeWhatsApp.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 1972 WhatsApp.exe Token: SeDebugPrivilege 1152 InstallUtil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WhatsApp.exedescription pid process target process PID 1972 wrote to memory of 1760 1972 WhatsApp.exe powershell.exe PID 1972 wrote to memory of 1760 1972 WhatsApp.exe powershell.exe PID 1972 wrote to memory of 1760 1972 WhatsApp.exe powershell.exe PID 1972 wrote to memory of 1760 1972 WhatsApp.exe powershell.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe PID 1972 wrote to memory of 1152 1972 WhatsApp.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe"C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1152-63-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1152-72-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1152-70-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1152-68-0x0000000000422116-mapping.dmp
-
memory/1152-67-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1152-66-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1152-65-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1152-62-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1760-61-0x000000006F7E0000-0x000000006FD8B000-memory.dmpFilesize
5.7MB
-
memory/1760-60-0x000000006F7E0000-0x000000006FD8B000-memory.dmpFilesize
5.7MB
-
memory/1760-58-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x00000000009C0000-0x0000000000DB6000-memory.dmpFilesize
4.0MB
-
memory/1972-57-0x00000000024E0000-0x0000000002572000-memory.dmpFilesize
584KB
-
memory/1972-56-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/1972-55-0x0000000000910000-0x00000000009C6000-memory.dmpFilesize
728KB