Analysis
-
max time kernel
129s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
26-07-2023 08:19
Behavioral task
behavioral1
Sample
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Resource
win10v2004-20230703-en
General
-
Target
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
-
Size
2.3MB
-
MD5
9b06361b484531e8d71b64fbb32534d9
-
SHA1
6c47e8bfaf1b82c57c861312f1fe130cc5e21c96
-
SHA256
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd
-
SHA512
dd9ab0d96801bdc8e541c60f0cb23f8c5089f8cefd4fa9041dae5d6d7e393f27ff25cc445117e3804f235fabce0fd2ae80d284463ef2278da5afb6a81f285bbb
-
SSDEEP
49152:SgUFBrKkyuD7ug6e1NsUfgvig28JUU1y4unHZ1IxLRoV:eJK1umgBUU+n28uUMxHXIh6
Malware Config
Extracted
redline
150723_rc_11
rcam15.tuktuk.ug:11290
-
auth_value
0b3645317afbcac212f68853bb45b46d
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepod.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepod.exe -
Executes dropped EXE 2 IoCs
pid Process 1212 Notepod.exe 3000 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2836 AppLaunch.exe 1212 Notepod.exe -
resource yara_rule behavioral1/memory/2564-66-0x0000000000080000-0x000000000063A000-memory.dmp themida behavioral1/memory/2564-112-0x0000000000080000-0x000000000063A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepod.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 1212 Notepod.exe 3000 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2564 set thread context of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 6 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 2836 AppLaunch.exe 2836 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe Token: SeDebugPrivilege 2836 AppLaunch.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2820 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 28 PID 2564 wrote to memory of 2820 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 28 PID 2564 wrote to memory of 2820 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 28 PID 2564 wrote to memory of 2820 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 28 PID 2564 wrote to memory of 2820 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 28 PID 2564 wrote to memory of 2820 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 28 PID 2564 wrote to memory of 2820 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 28 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2564 wrote to memory of 2836 2564 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe 29 PID 2836 wrote to memory of 1212 2836 AppLaunch.exe 33 PID 2836 wrote to memory of 1212 2836 AppLaunch.exe 33 PID 2836 wrote to memory of 1212 2836 AppLaunch.exe 33 PID 2836 wrote to memory of 1212 2836 AppLaunch.exe 33 PID 1212 wrote to memory of 3000 1212 Notepod.exe 34 PID 1212 wrote to memory of 3000 1212 Notepod.exe 34 PID 1212 wrote to memory of 3000 1212 Notepod.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe"C:\Users\Admin\AppData\Local\Temp\753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3000
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
392.9MB
MD5c25349d954df8f449534e824b0db3100
SHA12950cf4e68e4791bd7da0cec69ddaf5c57a736ce
SHA2564ddcde89eb85ed3d79bc58b33f0d2cb0953a67266ace2298c674e5d18a9b1690
SHA512cacebcf22a101e1475ebd522e09acff6b30bc86e2041c2f7dcfff4367b9731f01b942185bda80114b20bfd4375a5ae6df8fd7b36189079773bcd0eb0e5c4eb7b
-
Filesize
398.4MB
MD5f6226bd76281d074891d80b890a10e4d
SHA1cc96a352fca20ef4cc5590f7587922f3675396cb
SHA2564a5a6cf2d7e154af659bc6d445f7c86c58dba88c11ef692597548eeb10af585c
SHA51227c87ab4c04c39d0bf9d7a7b402010fbc68ab5fde25b525b7283f643285918e86595b880a4bbd83ae88f7a80cbc4ef0dba0127a759d81a7eafbbd9ac18c9229b
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
407.4MB
MD5db5c6aeb38aee33c5737584cac57c8a4
SHA1daf01f8d0ec524bf788654bac021a2274dceda25
SHA256defbc93b5df07a18e11be774282dd654b2c116c74369298c3c7ad6f326c3bb4d
SHA512eccc8da8f6930846a401db298cbe8d7268d8f19d6cde5a710a5f445748899290e327e5f4edd1228d766d43520fe14318d427fe2487fb2007dd7224360fe09289