Analysis
-
max time kernel
277s -
max time network
286s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
20-07-2023 03:39
Behavioral task
behavioral1
Sample
b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe
Resource
win10-20230703-en
General
-
Target
b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe
-
Size
3.0MB
-
MD5
f0c28a4e827bbc75a2d28f6abdce56b2
-
SHA1
8991e8b3f6a3def5c56b972c80df713def04fdbd
-
SHA256
b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e
-
SHA512
995b412aed0eabe6ed8834f7dd57ed99de797da6c7f06f601f573e9b13fa27101c894f2c8f8c7574cf73d3ce413af31598c31174aa235f9ff39ed887292c5256
-
SSDEEP
49152:SSGHmYONvphn06NUNKvkJKfyeVe0L/Afybp23OLop2NDmGX2YE/0B76RbWG4AGDp:BILONvphn06yNKAKa2YybpqO3DjNNBq2
Malware Config
Extracted
redline
190723_rc_11
rcam19.tuktuk.ug:11290
-
auth_value
bdb30d37675736a264bc8bbc3996bfe7
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepod.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepod.exe -
Executes dropped EXE 2 IoCs
pid Process 1256 Notepod.exe 2968 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 3028 AppLaunch.exe 1256 Notepod.exe -
resource yara_rule behavioral1/memory/1456-73-0x0000000000250000-0x000000000091E000-memory.dmp themida behavioral1/memory/1456-126-0x0000000000250000-0x000000000091E000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepod.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 1256 Notepod.exe 2968 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1456 set thread context of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 6 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 3028 AppLaunch.exe 3028 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe Token: SeDebugPrivilege 3028 AppLaunch.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 1456 wrote to memory of 3028 1456 b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe 28 PID 3028 wrote to memory of 1256 3028 AppLaunch.exe 32 PID 3028 wrote to memory of 1256 3028 AppLaunch.exe 32 PID 3028 wrote to memory of 1256 3028 AppLaunch.exe 32 PID 3028 wrote to memory of 1256 3028 AppLaunch.exe 32 PID 1256 wrote to memory of 2968 1256 Notepod.exe 33 PID 1256 wrote to memory of 2968 1256 Notepod.exe 33 PID 1256 wrote to memory of 2968 1256 Notepod.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe"C:\Users\Admin\AppData\Local\Temp\b0e4d761ebaa601cd4fa602aa55e06c3615b228c9df0b67fec2dd73857f8ca6e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2968
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.6MB
MD544e4af2a42e0709726bc55c48755b6c6
SHA1f30667ab145f876ed67f3568771c9f44cbb075c8
SHA2564f7f72d5fa0dbdd886de53c3e9bc01cd76bbb94d8d3b0d1deba3eb56d84f1ea4
SHA512ce98088c7ef0c6ba4e0d0acade13eca5d7dfbfea572c805bc28b26c5cb86889b0d19fdd0e194dd80398c1a4734c201045d63b406bf102f9ff10b94bef8929844
-
Filesize
4.6MB
MD544e4af2a42e0709726bc55c48755b6c6
SHA1f30667ab145f876ed67f3568771c9f44cbb075c8
SHA2564f7f72d5fa0dbdd886de53c3e9bc01cd76bbb94d8d3b0d1deba3eb56d84f1ea4
SHA512ce98088c7ef0c6ba4e0d0acade13eca5d7dfbfea572c805bc28b26c5cb86889b0d19fdd0e194dd80398c1a4734c201045d63b406bf102f9ff10b94bef8929844
-
Filesize
835.6MB
MD5576cc6a0bd4cf0b80181fe2a8c3832bb
SHA1476c98bc278940279557e701f88ca62a5e793198
SHA256c6f47b4ffb00926a17642107bdb426df8e369b2e7045f40c9400188693c37257
SHA5123b3fc29ff751d611c76985aece675cbea778788bbf7b4e956d6ea8c180c207908903356436cb645d04d52c1b71e4c255153a2f2986157150396e5a9a6b37e284
-
Filesize
835.6MB
MD5576cc6a0bd4cf0b80181fe2a8c3832bb
SHA1476c98bc278940279557e701f88ca62a5e793198
SHA256c6f47b4ffb00926a17642107bdb426df8e369b2e7045f40c9400188693c37257
SHA5123b3fc29ff751d611c76985aece675cbea778788bbf7b4e956d6ea8c180c207908903356436cb645d04d52c1b71e4c255153a2f2986157150396e5a9a6b37e284
-
Filesize
4.6MB
MD544e4af2a42e0709726bc55c48755b6c6
SHA1f30667ab145f876ed67f3568771c9f44cbb075c8
SHA2564f7f72d5fa0dbdd886de53c3e9bc01cd76bbb94d8d3b0d1deba3eb56d84f1ea4
SHA512ce98088c7ef0c6ba4e0d0acade13eca5d7dfbfea572c805bc28b26c5cb86889b0d19fdd0e194dd80398c1a4734c201045d63b406bf102f9ff10b94bef8929844
-
Filesize
835.6MB
MD5576cc6a0bd4cf0b80181fe2a8c3832bb
SHA1476c98bc278940279557e701f88ca62a5e793198
SHA256c6f47b4ffb00926a17642107bdb426df8e369b2e7045f40c9400188693c37257
SHA5123b3fc29ff751d611c76985aece675cbea778788bbf7b4e956d6ea8c180c207908903356436cb645d04d52c1b71e4c255153a2f2986157150396e5a9a6b37e284