Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2023, 13:06
Behavioral task
behavioral1
Sample
46ef6daecec030061841713f7.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
46ef6daecec030061841713f7.exe
Resource
win10v2004-20230703-en
General
-
Target
46ef6daecec030061841713f7.exe
-
Size
2.6MB
-
MD5
65482e3a11dff25a26f8b9667999ae5f
-
SHA1
967455baa933e5122008db83ebf0f0be29d8afa1
-
SHA256
46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1
-
SHA512
d4475480c623ddf2a648977af78548470a56e115990018fc91b354b939949a36f7dd84822d4dee54c3a9df690b4d70deef43eb55420f38fe9186a9d26fd1c6b3
-
SSDEEP
49152:DLZTeIJtQrmRw7mGRPsIbGHH04cmjloa2TouNMjTuyRQeWhKIjAkSt80rY:D5IrmRwKGSTHtjWa2cbTuySeWhKCSvY
Malware Config
Extracted
redline
090723_rc_11
rcam.tuktuk.ug:11290
-
auth_value
abd581cdd66d51ad306682319cafa5a0
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 46ef6daecec030061841713f7.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 46ef6daecec030061841713f7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 46ef6daecec030061841713f7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrome.exe -
Executes dropped EXE 2 IoCs
pid Process 3684 chrome.exe 4752 ntlhost.exe -
resource yara_rule behavioral2/memory/3896-137-0x0000000000300000-0x000000000094A000-memory.dmp themida behavioral2/memory/3896-168-0x0000000000300000-0x000000000094A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" chrome.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 46ef6daecec030061841713f7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA chrome.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3896 46ef6daecec030061841713f7.exe 3684 chrome.exe 4752 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3896 set thread context of 2744 3896 46ef6daecec030061841713f7.exe 84 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 37 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3896 46ef6daecec030061841713f7.exe 3896 46ef6daecec030061841713f7.exe 2744 MsBuild.exe 2744 MsBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3896 46ef6daecec030061841713f7.exe Token: SeDebugPrivilege 2744 MsBuild.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3896 wrote to memory of 2744 3896 46ef6daecec030061841713f7.exe 84 PID 3896 wrote to memory of 2744 3896 46ef6daecec030061841713f7.exe 84 PID 3896 wrote to memory of 2744 3896 46ef6daecec030061841713f7.exe 84 PID 3896 wrote to memory of 2744 3896 46ef6daecec030061841713f7.exe 84 PID 3896 wrote to memory of 2744 3896 46ef6daecec030061841713f7.exe 84 PID 3896 wrote to memory of 2744 3896 46ef6daecec030061841713f7.exe 84 PID 3896 wrote to memory of 2744 3896 46ef6daecec030061841713f7.exe 84 PID 3896 wrote to memory of 2744 3896 46ef6daecec030061841713f7.exe 84 PID 2744 wrote to memory of 3684 2744 MsBuild.exe 87 PID 2744 wrote to memory of 3684 2744 MsBuild.exe 87 PID 3684 wrote to memory of 4752 3684 chrome.exe 89 PID 3684 wrote to memory of 4752 3684 chrome.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\46ef6daecec030061841713f7.exe"C:\Users\Admin\AppData\Local\Temp\46ef6daecec030061841713f7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4752
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD5f2e100f576b44fdb37d874db2e48085c
SHA123091a0b5231d69d85866fede573b25577e20414
SHA25677530f67cff4fc2456c0b27abf28d1ab1f4f10fd9be039783adfa25ed1f7f196
SHA51214bd861a48f201a195d322e4c00f758996d2be8b6d78a1c927af53a00e029e9be7db4002c48a80f88d2869e9ba412724ec7a47c8da09faf79133df2edc608f85
-
Filesize
4.4MB
MD5f2e100f576b44fdb37d874db2e48085c
SHA123091a0b5231d69d85866fede573b25577e20414
SHA25677530f67cff4fc2456c0b27abf28d1ab1f4f10fd9be039783adfa25ed1f7f196
SHA51214bd861a48f201a195d322e4c00f758996d2be8b6d78a1c927af53a00e029e9be7db4002c48a80f88d2869e9ba412724ec7a47c8da09faf79133df2edc608f85
-
Filesize
4.4MB
MD5f2e100f576b44fdb37d874db2e48085c
SHA123091a0b5231d69d85866fede573b25577e20414
SHA25677530f67cff4fc2456c0b27abf28d1ab1f4f10fd9be039783adfa25ed1f7f196
SHA51214bd861a48f201a195d322e4c00f758996d2be8b6d78a1c927af53a00e029e9be7db4002c48a80f88d2869e9ba412724ec7a47c8da09faf79133df2edc608f85
-
Filesize
356.0MB
MD51f54e94f119e14797394e37656199d67
SHA1ca1bfd40d022627866eb53603496361d952120c4
SHA256c92a96a68d191bec6aa58a073e4220382f7f01bf3594520308cc45d6c6a2da43
SHA5125fb68944b7a2fc30e080d1aaa85bb24796871311b002be463dd7e3781b225f2e75a18ca96151a54b6622e96ad5c9296ff0a2a12a74a879d21006449210b16744
-
Filesize
363.7MB
MD5a6dbc44fe4d8ef109421c854efe3da2d
SHA1a3833d3e115c4f9fb56ed34031e9fd8f8cc75ece
SHA2564d784dc298750d618beb6522abeb6eecad78e02a80a1abcd6c414d8d016984ca
SHA5127b4d43edfa4f187a18ee63bfc88582dc3e6086f46d9a3ac36668ed89977f4da67ceebbe524b813938fe9e579f9afb1b38208cf16f665cb3b0fa3033730e8d8bf