Overview

overview

10

Static

static

WhatsApp/WhatsApp.exe

windows7-x64

10

WhatsApp/WhatsApp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2022, 15:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    WhatsApp/WhatsApp.exe

  • Size

    700.0MB

  • MD5

    eed6f462fa1726e08e0484b390ca06b0

  • SHA1

    8e70784980600025bbc4fa69498e001c65455a8e

  • SHA256

    658b0fd44002ad353d0cf9cb604e9b8cfcad04a3d221c5133bcf6872bca73577

  • SHA512

    af67542f607afbe0f00de61c4d672b2736a375bd484d445cdd4c1e76407467babdb633849f16bbe411cd87f4194ba4024cdca82a1f8d58339c10d4c972903b9e

  • SSDEEP

    12288:Fwe20JjM2oJNVmnWZQzjFeM6DJOjB9sTTHyW8PCVmGZqfOTP/cBtApi2b3r:FnRqVmnYQb6VOKyKg6b3r

Score
10/10
redlinews-30infostealer

Malware Config

Extracted

Family

redline

Botnet

WS-30

C2

38.91.100.57:32750

Attributes
  • auth_value

    28ec3879b1ff499f6d9b6d3735d23e33

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe
    "C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4048
    • C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe
      C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe
      2⤵
        PID:2488
      • C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe
        C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe
        2⤵
          PID:1444
        • C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe
          C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe
          2⤵
            PID:1864

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WhatsApp.exe.log
                Filesize

                1KB

                MD5

                7200fb09b34d23375c2cff85323af4a4

                SHA1

                0994a0ab70a6f6c8c45b4664bed926779fbd5c2e

                SHA256

                e065d81294bae8c8404e57ce5d9d4db68472cefac1469e49f2e73671a4315e15

                SHA512

                417451e2279b9f1861d317edd8a517a7bb6d1e505c23fb89a16662059d23fbd789223b061ea73217d2042a2221f998c093928a28fd6d8054f53fa174f5dd02de

                Download Submit

              • memory/1864-152-0x0000000005790000-0x00000000057CC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/1864-151-0x0000000005730000-0x0000000005742000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1864-150-0x0000000005800000-0x000000000590A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1864-149-0x0000000005C80000-0x0000000006298000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/1864-147-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/4048-137-0x00000000057A0000-0x0000000005806000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4048-141-0x0000000006380000-0x000000000639A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/4048-140-0x0000000007510000-0x0000000007B8A000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/4048-139-0x0000000004C50000-0x0000000004C6E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/4048-138-0x0000000005810000-0x0000000005876000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4048-136-0x00000000050A0000-0x00000000056C8000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/4048-135-0x00000000028C0000-0x00000000028F6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/4832-142-0x0000000005B90000-0x0000000005C22000-memory.dmp

                Filesize

                584KB

                Download

              • memory/4832-143-0x0000000027390000-0x0000000027934000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/4832-132-0x00000000008C0000-0x0000000000A5C000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/4832-133-0x0000000005710000-0x0000000005732000-memory.dmp

                Filesize

                136KB

                Download