Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2022 18:00
Behavioral task
behavioral1
Sample
WhatsApp/WhatsApp.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
WhatsApp/WhatsApp.exe
Resource
win10v2004-20220812-en
General
-
Target
WhatsApp/WhatsApp.exe
-
Size
700.0MB
-
MD5
76e4e31dd3e40ac6790c83fa48419a55
-
SHA1
f42363c9ca8325a47efd4f01f177702433d78ff8
-
SHA256
661d2ed323c8703a7466774162972254589be4ab04abd6067d70ab44bc70d978
-
SHA512
78ae771f67d5c1c66d2e8ffc1f3dd398b6cd87c6ee813e6108e0f0c8cdfb8cd656c82d3ec4fff7b9d9f84c31e0cfd00b613150bb6eb22ad942c00a5aed379b8e
-
SSDEEP
98304:NCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJP:N2qM+idivVNKbZfREVtc0PJP
Malware Config
Extracted
redline
ws-19
38.91.100.57:32750
-
auth_value
b8974207e31b05e60d39e04eba8eeb0b
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4428-143-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WhatsApp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WhatsApp.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2064-132-0x0000000000B70000-0x0000000000F66000-memory.dmp agile_net -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
WhatsApp.exedescription pid process target process PID 2064 set thread context of 4428 2064 WhatsApp.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeWhatsApp.exeInstallUtil.exepid process 3900 powershell.exe 3900 powershell.exe 2064 WhatsApp.exe 2064 WhatsApp.exe 4428 InstallUtil.exe 4428 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeWhatsApp.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 3900 powershell.exe Token: SeDebugPrivilege 2064 WhatsApp.exe Token: SeDebugPrivilege 4428 InstallUtil.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WhatsApp.exedescription pid process target process PID 2064 wrote to memory of 3900 2064 WhatsApp.exe powershell.exe PID 2064 wrote to memory of 3900 2064 WhatsApp.exe powershell.exe PID 2064 wrote to memory of 3900 2064 WhatsApp.exe powershell.exe PID 2064 wrote to memory of 4428 2064 WhatsApp.exe InstallUtil.exe PID 2064 wrote to memory of 4428 2064 WhatsApp.exe InstallUtil.exe PID 2064 wrote to memory of 4428 2064 WhatsApp.exe InstallUtil.exe PID 2064 wrote to memory of 4428 2064 WhatsApp.exe InstallUtil.exe PID 2064 wrote to memory of 4428 2064 WhatsApp.exe InstallUtil.exe PID 2064 wrote to memory of 4428 2064 WhatsApp.exe InstallUtil.exe PID 2064 wrote to memory of 4428 2064 WhatsApp.exe InstallUtil.exe PID 2064 wrote to memory of 4428 2064 WhatsApp.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe"C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2064-132-0x0000000000B70000-0x0000000000F66000-memory.dmpFilesize
4.0MB
-
memory/2064-133-0x0000000005BC0000-0x0000000005BE2000-memory.dmpFilesize
136KB
-
memory/3900-134-0x0000000000000000-mapping.dmp
-
memory/3900-135-0x0000000002D90000-0x0000000002DC6000-memory.dmpFilesize
216KB
-
memory/3900-136-0x0000000005510000-0x0000000005B38000-memory.dmpFilesize
6.2MB
-
memory/3900-137-0x0000000005C70000-0x0000000005CD6000-memory.dmpFilesize
408KB
-
memory/3900-138-0x0000000005CE0000-0x0000000005D46000-memory.dmpFilesize
408KB
-
memory/3900-139-0x0000000006360000-0x000000000637E000-memory.dmpFilesize
120KB
-
memory/3900-140-0x00000000079A0000-0x000000000801A000-memory.dmpFilesize
6.5MB
-
memory/3900-141-0x0000000006870000-0x000000000688A000-memory.dmpFilesize
104KB
-
memory/4428-142-0x0000000000000000-mapping.dmp
-
memory/4428-143-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4428-144-0x0000000005530000-0x0000000005B48000-memory.dmpFilesize
6.1MB
-
memory/4428-145-0x0000000005070000-0x000000000517A000-memory.dmpFilesize
1.0MB
-
memory/4428-146-0x0000000004FA0000-0x0000000004FB2000-memory.dmpFilesize
72KB
-
memory/4428-147-0x0000000005010000-0x000000000504C000-memory.dmpFilesize
240KB
-
memory/4428-148-0x0000000005340000-0x00000000053D2000-memory.dmpFilesize
584KB
-
memory/4428-149-0x0000000006100000-0x00000000066A4000-memory.dmpFilesize
5.6MB
-
memory/4428-150-0x0000000006880000-0x0000000006A42000-memory.dmpFilesize
1.8MB
-
memory/4428-151-0x0000000006F80000-0x00000000074AC000-memory.dmpFilesize
5.2MB
-
memory/4428-152-0x0000000006AE0000-0x0000000006B56000-memory.dmpFilesize
472KB
-
memory/4428-153-0x0000000006B60000-0x0000000006BB0000-memory.dmpFilesize
320KB