Analysis
-
max time kernel
277s -
max time network
288s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
22-07-2023 04:49
Behavioral task
behavioral1
Sample
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe
Resource
win10-20230703-en
General
-
Target
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe
-
Size
2.8MB
-
MD5
4fee4dfe32401be36ab9d2f6e41f6228
-
SHA1
897fe7fb7242cc6ec4964183141a8f0c7d5f172e
-
SHA256
b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1
-
SHA512
cb2f786ab00d7e1484cc977f56daf7e555909fdc7a9da14e0f541ef00b58fb8f78241c4cb79dccbe7d99cb7e772c3791d143346c1e75604e98176c121cb55c18
-
SSDEEP
49152:uxAUjfZ+AnOsIOyocA+YwZavG/Mfow7HSG5RXE10M97MKcGt6I69DpL9PlIvuyJt:Q9gAnWoR+YMav5oUb5RaBptoJpLjOJcw
Malware Config
Extracted
redline
210723_rc_11
rcam21.tuktuk.ug:11290
-
auth_value
dd5c2e37dd240447def77d8a4c6244f5
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepod.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe -
Executes dropped EXE 2 IoCs
pid Process 3004 Notepod.exe 1300 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 3064 AppLaunch.exe 3004 Notepod.exe -
resource yara_rule behavioral1/memory/2856-67-0x0000000000160000-0x0000000000802000-memory.dmp themida behavioral1/memory/2856-121-0x0000000000160000-0x0000000000802000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepod.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 3004 Notepod.exe 1300 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2856 set thread context of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 6 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 3064 AppLaunch.exe 3064 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe Token: SeDebugPrivilege 3064 AppLaunch.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 2856 wrote to memory of 3064 2856 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe 28 PID 3064 wrote to memory of 3004 3064 AppLaunch.exe 32 PID 3064 wrote to memory of 3004 3064 AppLaunch.exe 32 PID 3064 wrote to memory of 3004 3064 AppLaunch.exe 32 PID 3064 wrote to memory of 3004 3064 AppLaunch.exe 32 PID 3004 wrote to memory of 1300 3004 Notepod.exe 33 PID 3004 wrote to memory of 1300 3004 Notepod.exe 33 PID 3004 wrote to memory of 1300 3004 Notepod.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe"C:\Users\Admin\AppData\Local\Temp\b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1300
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD524c40e66db640789a022cb839b28d476
SHA1b6000f4b0e71ce952267e7e5728bc4181877c497
SHA2566bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd
-
Filesize
4.4MB
MD524c40e66db640789a022cb839b28d476
SHA1b6000f4b0e71ce952267e7e5728bc4181877c497
SHA2566bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd
-
Filesize
834.4MB
MD593a8ceb7d4180c7d0cd98229f40bc3e7
SHA166d7038be4411e18cf52f64f210273c88ef52c6f
SHA25648abef7fc7a3024eaed45c6c58afcd36d309c655d2d23d3cc19aa896c3747a1f
SHA512ae95aa8dd37bc014edf15dd8659aa5f4935208f239331695d24092c2d21ac07f455fb3fea00bb5c0fc1d2977c4cc47407aa97aab5c0bd73c6865955390bd8c65
-
Filesize
834.4MB
MD593a8ceb7d4180c7d0cd98229f40bc3e7
SHA166d7038be4411e18cf52f64f210273c88ef52c6f
SHA25648abef7fc7a3024eaed45c6c58afcd36d309c655d2d23d3cc19aa896c3747a1f
SHA512ae95aa8dd37bc014edf15dd8659aa5f4935208f239331695d24092c2d21ac07f455fb3fea00bb5c0fc1d2977c4cc47407aa97aab5c0bd73c6865955390bd8c65
-
Filesize
4.4MB
MD524c40e66db640789a022cb839b28d476
SHA1b6000f4b0e71ce952267e7e5728bc4181877c497
SHA2566bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd
-
Filesize
834.4MB
MD593a8ceb7d4180c7d0cd98229f40bc3e7
SHA166d7038be4411e18cf52f64f210273c88ef52c6f
SHA25648abef7fc7a3024eaed45c6c58afcd36d309c655d2d23d3cc19aa896c3747a1f
SHA512ae95aa8dd37bc014edf15dd8659aa5f4935208f239331695d24092c2d21ac07f455fb3fea00bb5c0fc1d2977c4cc47407aa97aab5c0bd73c6865955390bd8c65