Analysis
-
max time kernel
290s -
max time network
257s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
22-07-2023 22:13
Behavioral task
behavioral1
Sample
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe
Resource
win10-20230703-en
General
-
Target
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe
-
Size
2.8MB
-
MD5
4fee4dfe32401be36ab9d2f6e41f6228
-
SHA1
897fe7fb7242cc6ec4964183141a8f0c7d5f172e
-
SHA256
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1
-
SHA512
cb2f786ab00d7e1484cc977f56daf7e555909fdc7a9da14e0f541ef00b58fb8f78241c4cb79dccbe7d99cb7e772c3791d143346c1e75604e98176c121cb55c18
-
SSDEEP
49152:uxAUjfZ+AnOsIOyocA+YwZavG/Mfow7HSG5RXE10M97MKcGt6I69DpL9PlIvuyJt:Q9gAnWoR+YMav5oUb5RaBptoJpLjOJcw
Malware Config
Extracted
redline
210723_rc_11
rcam21.tuktuk.ug:11290
-
auth_value
dd5c2e37dd240447def77d8a4c6244f5
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepod.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe -
Executes dropped EXE 2 IoCs
pid Process 3608 Notepod.exe 1564 ntlhost.exe -
resource yara_rule behavioral2/memory/4896-132-0x00000000001D0000-0x0000000000872000-memory.dmp themida behavioral2/memory/4896-196-0x00000000001D0000-0x0000000000872000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepod.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 3608 Notepod.exe 1564 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4896 set thread context of 960 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 70 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 8 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 960 AppLaunch.exe 960 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Token: SeDebugPrivilege 960 AppLaunch.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4896 wrote to memory of 960 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 70 PID 4896 wrote to memory of 960 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 70 PID 4896 wrote to memory of 960 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 70 PID 4896 wrote to memory of 960 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 70 PID 4896 wrote to memory of 960 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 70 PID 4896 wrote to memory of 960 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 70 PID 4896 wrote to memory of 960 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 70 PID 4896 wrote to memory of 960 4896 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 70 PID 960 wrote to memory of 3608 960 AppLaunch.exe 72 PID 960 wrote to memory of 3608 960 AppLaunch.exe 72 PID 3608 wrote to memory of 1564 3608 Notepod.exe 73 PID 3608 wrote to memory of 1564 3608 Notepod.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe"C:\Users\Admin\AppData\Local\Temp\b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1564
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD524c40e66db640789a022cb839b28d476
SHA1b6000f4b0e71ce952267e7e5728bc4181877c497
SHA2566bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd
-
Filesize
4.4MB
MD524c40e66db640789a022cb839b28d476
SHA1b6000f4b0e71ce952267e7e5728bc4181877c497
SHA2566bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd
-
Filesize
719.4MB
MD57a897f318ee0b8449fe6f81f7a8e1dd1
SHA131fa4307be080fc3280ce70835ff7b1489908994
SHA25623265c2ba40ee16cd9b2433e748ec084077a1369ddd5a891d0765012bc103b90
SHA5124808ea68c67abf9b8e17326ffa553c8634e47d77b9d80f8c09e651cc3f7b82b294912995332c1b8ca4f61c5fd6e5f6d4c3c8ed16044742131bc65da00f5537a9
-
Filesize
719.4MB
MD57a897f318ee0b8449fe6f81f7a8e1dd1
SHA131fa4307be080fc3280ce70835ff7b1489908994
SHA25623265c2ba40ee16cd9b2433e748ec084077a1369ddd5a891d0765012bc103b90
SHA5124808ea68c67abf9b8e17326ffa553c8634e47d77b9d80f8c09e651cc3f7b82b294912995332c1b8ca4f61c5fd6e5f6d4c3c8ed16044742131bc65da00f5537a9
-
Filesize
719.4MB
MD57a897f318ee0b8449fe6f81f7a8e1dd1
SHA131fa4307be080fc3280ce70835ff7b1489908994
SHA25623265c2ba40ee16cd9b2433e748ec084077a1369ddd5a891d0765012bc103b90
SHA5124808ea68c67abf9b8e17326ffa553c8634e47d77b9d80f8c09e651cc3f7b82b294912995332c1b8ca4f61c5fd6e5f6d4c3c8ed16044742131bc65da00f5537a9