Analysis
-
max time kernel
63s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 05:59
Behavioral task
behavioral1
Sample
WhatsApp.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
WhatsApp.exe
Resource
win10v2004-20220812-en
General
-
Target
WhatsApp.exe
-
Size
700.0MB
-
MD5
76e4e31dd3e40ac6790c83fa48419a55
-
SHA1
f42363c9ca8325a47efd4f01f177702433d78ff8
-
SHA256
661d2ed323c8703a7466774162972254589be4ab04abd6067d70ab44bc70d978
-
SHA512
78ae771f67d5c1c66d2e8ffc1f3dd398b6cd87c6ee813e6108e0f0c8cdfb8cd656c82d3ec4fff7b9d9f84c31e0cfd00b613150bb6eb22ad942c00a5aed379b8e
-
SSDEEP
98304:NCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJP:N2qM+idivVNKbZfREVtc0PJP
Malware Config
Extracted
redline
ws-19
38.91.100.57:32750
-
auth_value
b8974207e31b05e60d39e04eba8eeb0b
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1848-143-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WhatsApp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WhatsApp.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3708-132-0x0000000000EC0000-0x00000000012B6000-memory.dmp agile_net -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
WhatsApp.exedescription pid process target process PID 3708 set thread context of 1848 3708 WhatsApp.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeWhatsApp.exeInstallUtil.exepid process 3984 powershell.exe 3984 powershell.exe 3708 WhatsApp.exe 3708 WhatsApp.exe 1848 InstallUtil.exe 1848 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeWhatsApp.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 3708 WhatsApp.exe Token: SeDebugPrivilege 1848 InstallUtil.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WhatsApp.exedescription pid process target process PID 3708 wrote to memory of 3984 3708 WhatsApp.exe powershell.exe PID 3708 wrote to memory of 3984 3708 WhatsApp.exe powershell.exe PID 3708 wrote to memory of 3984 3708 WhatsApp.exe powershell.exe PID 3708 wrote to memory of 1848 3708 WhatsApp.exe InstallUtil.exe PID 3708 wrote to memory of 1848 3708 WhatsApp.exe InstallUtil.exe PID 3708 wrote to memory of 1848 3708 WhatsApp.exe InstallUtil.exe PID 3708 wrote to memory of 1848 3708 WhatsApp.exe InstallUtil.exe PID 3708 wrote to memory of 1848 3708 WhatsApp.exe InstallUtil.exe PID 3708 wrote to memory of 1848 3708 WhatsApp.exe InstallUtil.exe PID 3708 wrote to memory of 1848 3708 WhatsApp.exe InstallUtil.exe PID 3708 wrote to memory of 1848 3708 WhatsApp.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WhatsApp.exe"C:\Users\Admin\AppData\Local\Temp\WhatsApp.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1848-147-0x0000000005770000-0x00000000057AC000-memory.dmpFilesize
240KB
-
memory/1848-150-0x00000000070E0000-0x00000000072A2000-memory.dmpFilesize
1.8MB
-
memory/1848-143-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1848-142-0x0000000000000000-mapping.dmp
-
memory/1848-152-0x0000000006990000-0x0000000006A06000-memory.dmpFilesize
472KB
-
memory/1848-151-0x00000000077E0000-0x0000000007D0C000-memory.dmpFilesize
5.2MB
-
memory/1848-145-0x00000000057E0000-0x00000000058EA000-memory.dmpFilesize
1.0MB
-
memory/1848-146-0x0000000005710000-0x0000000005722000-memory.dmpFilesize
72KB
-
memory/1848-144-0x0000000005CF0000-0x0000000006308000-memory.dmpFilesize
6.1MB
-
memory/1848-149-0x0000000006660000-0x00000000066F2000-memory.dmpFilesize
584KB
-
memory/1848-153-0x0000000006A10000-0x0000000006A60000-memory.dmpFilesize
320KB
-
memory/1848-148-0x0000000006B30000-0x00000000070D4000-memory.dmpFilesize
5.6MB
-
memory/3708-132-0x0000000000EC0000-0x00000000012B6000-memory.dmpFilesize
4.0MB
-
memory/3708-133-0x0000000005F10000-0x0000000005F32000-memory.dmpFilesize
136KB
-
memory/3984-138-0x0000000005ED0000-0x0000000005F36000-memory.dmpFilesize
408KB
-
memory/3984-140-0x0000000007CB0000-0x000000000832A000-memory.dmpFilesize
6.5MB
-
memory/3984-134-0x0000000000000000-mapping.dmp
-
memory/3984-141-0x0000000006990000-0x00000000069AA000-memory.dmpFilesize
104KB
-
memory/3984-139-0x00000000064A0000-0x00000000064BE000-memory.dmpFilesize
120KB
-
memory/3984-137-0x0000000005770000-0x00000000057D6000-memory.dmpFilesize
408KB
-
memory/3984-136-0x00000000058A0000-0x0000000005EC8000-memory.dmpFilesize
6.2MB
-
memory/3984-135-0x0000000002EF0000-0x0000000002F26000-memory.dmpFilesize
216KB