Malware Analysis Report

2024-10-23 15:43

Sample ID 230726-argexsha61
Target 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
SHA256 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
Tags
themida laplas redline 250723_rc_11 clipper evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05

Threat Level: Known bad

The file 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05 was found to be: Known bad.

Malicious Activity Summary

themida laplas redline 250723_rc_11 clipper evasion infostealer persistence spyware stealer trojan

Detects DLL dropped by Raspberry Robin.

RedLine

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Themida packer

Checks BIOS information in registry

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-26 00:26

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-26 00:26

Reported

2023-07-26 00:31

Platform

win7-20230712-en

Max time kernel

271s

Max time network

278s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"

Signatures

Detects DLL dropped by Raspberry Robin.

Description Indicator Process Target
N/A N/A N/A N/A

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1880 set thread context of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 2888 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 2888 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 2888 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 2128 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 2128 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 2128 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe

"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rcam25.tuktuk.ug udp
NL 85.209.3.9:11290 rcam25.tuktuk.ug tcp
NL 45.66.230.149:80 45.66.230.149 tcp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp

Files

memory/1880-54-0x00000000775D0000-0x0000000077617000-memory.dmp

memory/1880-53-0x0000000000C90000-0x0000000001342000-memory.dmp

memory/1880-59-0x00000000775D0000-0x0000000077617000-memory.dmp

memory/1880-58-0x0000000076320000-0x0000000076430000-memory.dmp

memory/1880-60-0x0000000076320000-0x0000000076430000-memory.dmp

memory/1880-61-0x0000000076320000-0x0000000076430000-memory.dmp

memory/1880-62-0x00000000775D0000-0x0000000077617000-memory.dmp

memory/1880-63-0x0000000077B30000-0x0000000077B32000-memory.dmp

memory/1880-64-0x0000000000C90000-0x0000000001342000-memory.dmp

memory/1880-66-0x00000000775D0000-0x0000000077617000-memory.dmp

memory/1880-65-0x0000000000C90000-0x0000000001342000-memory.dmp

memory/1880-68-0x0000000000500000-0x000000000051C000-memory.dmp

memory/1880-69-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-70-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-72-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-74-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-78-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-76-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-82-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-80-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-86-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-84-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-90-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-88-0x0000000000500000-0x0000000000515000-memory.dmp

memory/1880-92-0x0000000000500000-0x0000000000515000-memory.dmp

memory/2888-93-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2888-95-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2888-97-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2888-99-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2888-101-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2888-102-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2888-104-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2888-106-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1880-108-0x0000000076320000-0x0000000076430000-memory.dmp

memory/1880-109-0x00000000775D0000-0x0000000077617000-memory.dmp

memory/1880-110-0x0000000000C90000-0x0000000001342000-memory.dmp

memory/2888-111-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/2888-112-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2888-113-0x0000000004A50000-0x0000000004A90000-memory.dmp

memory/2888-114-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2888-115-0x0000000004A50000-0x0000000004A90000-memory.dmp

\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

memory/2888-120-0x000000000B900000-0x000000000C085000-memory.dmp

memory/2128-122-0x00000000011A0000-0x0000000001925000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

memory/2888-123-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2128-124-0x0000000077940000-0x0000000077AE9000-memory.dmp

memory/2128-125-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-126-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-127-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-128-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-130-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-129-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-131-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-132-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-133-0x00000000011A0000-0x0000000001925000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

memory/2128-134-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-136-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-137-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-138-0x0000000077940000-0x0000000077AE9000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 2d0bf19ec79b0508cb7b51377a0b97ab
SHA1 0c3e52529dc41a8bd9bbed8ba64ce4786ed5a1d3
SHA256 3021900afa22c1d9c677b4068252cd358c4b0680ffd845c7969f99eb1c5dbd11
SHA512 dd633eaa07f9a489ead949349b655a16bf32f5129f75796d90bb5125e9b4a7f5b9f90622bcf53408ac790b5bf6eabcec58c13a437c6dc8ca0714c4f1021b871a

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 2d0bf19ec79b0508cb7b51377a0b97ab
SHA1 0c3e52529dc41a8bd9bbed8ba64ce4786ed5a1d3
SHA256 3021900afa22c1d9c677b4068252cd358c4b0680ffd845c7969f99eb1c5dbd11
SHA512 dd633eaa07f9a489ead949349b655a16bf32f5129f75796d90bb5125e9b4a7f5b9f90622bcf53408ac790b5bf6eabcec58c13a437c6dc8ca0714c4f1021b871a

memory/2128-143-0x0000000028610000-0x0000000028D95000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 2d0bf19ec79b0508cb7b51377a0b97ab
SHA1 0c3e52529dc41a8bd9bbed8ba64ce4786ed5a1d3
SHA256 3021900afa22c1d9c677b4068252cd358c4b0680ffd845c7969f99eb1c5dbd11
SHA512 dd633eaa07f9a489ead949349b655a16bf32f5129f75796d90bb5125e9b4a7f5b9f90622bcf53408ac790b5bf6eabcec58c13a437c6dc8ca0714c4f1021b871a

memory/1872-145-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2128-144-0x00000000011A0000-0x0000000001925000-memory.dmp

memory/2128-146-0x0000000077940000-0x0000000077AE9000-memory.dmp

memory/1872-147-0x0000000077940000-0x0000000077AE9000-memory.dmp

memory/1872-148-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-149-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-150-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-151-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-152-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-153-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-154-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-155-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-156-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-157-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-158-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-159-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-160-0x0000000077940000-0x0000000077AE9000-memory.dmp

memory/1872-161-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-162-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-163-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-165-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-166-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/1872-167-0x0000000000310000-0x0000000000A95000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-26 00:26

Reported

2023-07-26 00:31

Platform

win10-20230703-en

Max time kernel

128s

Max time network

257s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"

Signatures

Detects DLL dropped by Raspberry Robin.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1720 set thread context of 5020 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe

"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rcam25.tuktuk.ug udp
NL 85.209.3.9:11290 rcam25.tuktuk.ug tcp
US 8.8.8.8:53 9.3.209.85.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/1720-118-0x0000000000AD0000-0x0000000001182000-memory.dmp

memory/1720-119-0x0000000076780000-0x0000000076942000-memory.dmp

memory/1720-120-0x0000000076780000-0x0000000076942000-memory.dmp

memory/1720-121-0x0000000076780000-0x0000000076942000-memory.dmp

memory/1720-122-0x0000000076780000-0x0000000076942000-memory.dmp

memory/1720-123-0x00000000747C0000-0x0000000074890000-memory.dmp

memory/1720-127-0x0000000000AD0000-0x0000000001182000-memory.dmp

memory/1720-128-0x0000000005A90000-0x0000000005B2C000-memory.dmp

memory/1720-129-0x0000000000AD0000-0x0000000001182000-memory.dmp

memory/1720-130-0x0000000076780000-0x0000000076942000-memory.dmp

memory/1720-132-0x00000000747C0000-0x0000000074890000-memory.dmp

memory/1720-133-0x0000000003690000-0x00000000036AC000-memory.dmp

memory/1720-134-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-135-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-137-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-139-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-141-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-143-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-145-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-147-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-149-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-151-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-153-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-155-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/1720-157-0x0000000003690000-0x00000000036A5000-memory.dmp

memory/5020-158-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1720-165-0x0000000000AD0000-0x0000000001182000-memory.dmp

memory/5020-166-0x0000000073CA0000-0x000000007438E000-memory.dmp

memory/5020-164-0x0000000006AD0000-0x0000000006AD6000-memory.dmp

memory/1720-167-0x0000000076780000-0x0000000076942000-memory.dmp

memory/1720-168-0x00000000747C0000-0x0000000074890000-memory.dmp

memory/5020-169-0x000000000EB70000-0x000000000F176000-memory.dmp

memory/5020-170-0x000000000E670000-0x000000000E77A000-memory.dmp

memory/5020-171-0x000000000E590000-0x000000000E5A2000-memory.dmp

memory/5020-172-0x00000000090D0000-0x00000000090E0000-memory.dmp

memory/5020-173-0x000000000E5F0000-0x000000000E62E000-memory.dmp

memory/5020-174-0x000000000E780000-0x000000000E7CB000-memory.dmp

memory/5020-179-0x000000000E920000-0x000000000E996000-memory.dmp

memory/5020-180-0x000000000EA40000-0x000000000EAD2000-memory.dmp

memory/5020-181-0x000000000E9A0000-0x000000000EA06000-memory.dmp

memory/5020-182-0x000000000FA80000-0x000000000FF7E000-memory.dmp

memory/5020-185-0x0000000073CA0000-0x000000007438E000-memory.dmp

memory/5020-186-0x00000000090D0000-0x00000000090E0000-memory.dmp

memory/5020-459-0x0000000010410000-0x00000000105D2000-memory.dmp

memory/5020-460-0x0000000011F60000-0x000000001248C000-memory.dmp

memory/5020-577-0x0000000073CA0000-0x000000007438E000-memory.dmp