Analysis
-
max time kernel
275s -
max time network
285s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
22-07-2023 22:13
Behavioral task
behavioral1
Sample
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe
Resource
win10-20230703-en
General
-
Target
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe
-
Size
2.8MB
-
MD5
4fee4dfe32401be36ab9d2f6e41f6228
-
SHA1
897fe7fb7242cc6ec4964183141a8f0c7d5f172e
-
SHA256
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1
-
SHA512
cb2f786ab00d7e1484cc977f56daf7e555909fdc7a9da14e0f541ef00b58fb8f78241c4cb79dccbe7d99cb7e772c3791d143346c1e75604e98176c121cb55c18
-
SSDEEP
49152:uxAUjfZ+AnOsIOyocA+YwZavG/Mfow7HSG5RXE10M97MKcGt6I69DpL9PlIvuyJt:Q9gAnWoR+YMav5oUb5RaBptoJpLjOJcw
Malware Config
Extracted
redline
210723_rc_11
rcam21.tuktuk.ug:11290
-
auth_value
dd5c2e37dd240447def77d8a4c6244f5
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepod.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe -
Executes dropped EXE 2 IoCs
pid Process 3024 Notepod.exe 2152 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2900 AppLaunch.exe 3024 Notepod.exe -
resource yara_rule behavioral1/memory/2604-64-0x0000000000F90000-0x0000000001632000-memory.dmp themida behavioral1/memory/2604-111-0x0000000000F90000-0x0000000001632000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepod.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 3024 Notepod.exe 2152 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2604 set thread context of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 6 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 2900 AppLaunch.exe 2900 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Token: SeDebugPrivilege 2900 AppLaunch.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2604 wrote to memory of 2900 2604 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2900 wrote to memory of 3024 2900 AppLaunch.exe 32 PID 2900 wrote to memory of 3024 2900 AppLaunch.exe 32 PID 2900 wrote to memory of 3024 2900 AppLaunch.exe 32 PID 2900 wrote to memory of 3024 2900 AppLaunch.exe 32 PID 3024 wrote to memory of 2152 3024 Notepod.exe 33 PID 3024 wrote to memory of 2152 3024 Notepod.exe 33 PID 3024 wrote to memory of 2152 3024 Notepod.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe"C:\Users\Admin\AppData\Local\Temp\b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2152
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD524c40e66db640789a022cb839b28d476
SHA1b6000f4b0e71ce952267e7e5728bc4181877c497
SHA2566bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd
-
Filesize
4.4MB
MD524c40e66db640789a022cb839b28d476
SHA1b6000f4b0e71ce952267e7e5728bc4181877c497
SHA2566bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd
-
Filesize
788.4MB
MD5b2f80e420b206809baaefa982c41484f
SHA1e589152fac517be7a7b9c7e2d8fd8ce3a4d62f09
SHA2562620f1446be0c5ebfd251af404cb93c6d2533dc4ee6b020fdfe6af7d69896583
SHA512338aba49ff5f603c5a0284ddc2af6ee9b6cfe1a0bb733d4f246379e9a71674b40b2ea7f3516f11d57fd5fd44fe765ade9b0e4f614c26c4a902a4ee6d71573a68
-
Filesize
788.4MB
MD5b2f80e420b206809baaefa982c41484f
SHA1e589152fac517be7a7b9c7e2d8fd8ce3a4d62f09
SHA2562620f1446be0c5ebfd251af404cb93c6d2533dc4ee6b020fdfe6af7d69896583
SHA512338aba49ff5f603c5a0284ddc2af6ee9b6cfe1a0bb733d4f246379e9a71674b40b2ea7f3516f11d57fd5fd44fe765ade9b0e4f614c26c4a902a4ee6d71573a68
-
Filesize
4.4MB
MD524c40e66db640789a022cb839b28d476
SHA1b6000f4b0e71ce952267e7e5728bc4181877c497
SHA2566bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd
-
Filesize
788.4MB
MD5b2f80e420b206809baaefa982c41484f
SHA1e589152fac517be7a7b9c7e2d8fd8ce3a4d62f09
SHA2562620f1446be0c5ebfd251af404cb93c6d2533dc4ee6b020fdfe6af7d69896583
SHA512338aba49ff5f603c5a0284ddc2af6ee9b6cfe1a0bb733d4f246379e9a71674b40b2ea7f3516f11d57fd5fd44fe765ade9b0e4f614c26c4a902a4ee6d71573a68