Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
25-07-2023 12:36
Behavioral task
behavioral1
Sample
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe
Resource
win10-20230703-en
General
-
Target
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe
-
Size
2.8MB
-
MD5
6659f84db9582049c250a8343dbf9168
-
SHA1
e58b0d6a289be0a12f20587cf8945233a086a27e
-
SHA256
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
-
SHA512
f9c54bd609dd78d182652892747b22db4064401dc420677f0f79e93b8504b6b4a1c92dd08d32cd4362b9973a9f7dc577b753b15f0d543b9449f64d41d652607c
-
SSDEEP
49152:4K9pTJqY0xorwlsQRXh9e3rcpadXRZCq3PPK5/AQEiNT18Nnb+vE:4KLvZrAjX/rdlpLk+8
Malware Config
Extracted
redline
250723_rc_11
rcam25.tuktuk.ug:11290
-
auth_value
e4d5022e8271228547a5ac6b68c29a07
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepod.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepod.exe -
Executes dropped EXE 2 IoCs
pid Process 4964 Notepod.exe 4340 ntlhost.exe -
resource yara_rule behavioral1/memory/2672-125-0x0000000000990000-0x0000000001042000-memory.dmp themida behavioral1/memory/2672-165-0x0000000000990000-0x0000000001042000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepod.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 4964 Notepod.exe 4340 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2672 set thread context of 4864 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 72 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 12 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 4864 AppLaunch.exe 4864 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe Token: SeDebugPrivilege 4864 AppLaunch.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2672 wrote to memory of 3688 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 70 PID 2672 wrote to memory of 3688 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 70 PID 2672 wrote to memory of 3688 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 70 PID 2672 wrote to memory of 868 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 71 PID 2672 wrote to memory of 868 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 71 PID 2672 wrote to memory of 868 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 71 PID 2672 wrote to memory of 4864 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 72 PID 2672 wrote to memory of 4864 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 72 PID 2672 wrote to memory of 4864 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 72 PID 2672 wrote to memory of 4864 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 72 PID 2672 wrote to memory of 4864 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 72 PID 2672 wrote to memory of 4864 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 72 PID 2672 wrote to memory of 4864 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 72 PID 2672 wrote to memory of 4864 2672 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 72 PID 4864 wrote to memory of 4964 4864 AppLaunch.exe 74 PID 4864 wrote to memory of 4964 4864 AppLaunch.exe 74 PID 4964 wrote to memory of 4340 4964 Notepod.exe 75 PID 4964 wrote to memory of 4340 4964 Notepod.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4340
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
537.3MB
MD5ad1349b73cd80792cbefac472b86a1b5
SHA184cd400ed80c249d977b361a078cd49a0b42134f
SHA25640da06497a31c3953eac678a4f3928fcd8ff45f02c8ff68cff55235616152689
SHA5127a8dab7503b44f156a625677c0286b66df557f1105ca41fe6d8b1aed510d39f38fba1566066943dddf509c3b2b0e148550bb6dea6c51b40463e1ea32ea07dbb1
-
Filesize
507.0MB
MD54ac4b0f3872c341ba0fb235799be72bc
SHA1a2172f6a80e514f769c7fc1aa1a38c5ca6af5199
SHA2567e632f97d194174dc85b5c0c0288dc1c3907128650b78db680fdcd0ddddb99c0
SHA5127d9bf8e31bb92c97cff48c32ec588a2f4b73d4e9ff6049a6508b933f27d863a61c9ac2e810998b1c2b70d2990f854f22875fd9af8dcc8e5e0eacb0d2be86ce95
-
Filesize
464.6MB
MD5ec2509e3fb8e0ab52691ddc31452c5d3
SHA17e19e4c8c20139f071fda4ae097ab8524fda25b3
SHA25698182fe5f3d58cc90d79ec5902769a0162d54bb56a8b0bb529ed48b85bb9bf3c
SHA512cb9fcc066a680594ed2a95ed96e82e0a3121fad5d88c8d968a9faba8d4f2c3ad675ca72e5799aef7884cafd7665ab3735df719e088719b6f27776709c5ddba3f