Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2023 13:08
Behavioral task
behavioral1
Sample
NA_1ed33d760f151b33b3d20bf9e_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
NA_1ed33d760f151b33b3d20bf9e_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
NA_1ed33d760f151b33b3d20bf9e_JC.exe
-
Size
2.8MB
-
MD5
6659f84db9582049c250a8343dbf9168
-
SHA1
e58b0d6a289be0a12f20587cf8945233a086a27e
-
SHA256
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
-
SHA512
f9c54bd609dd78d182652892747b22db4064401dc420677f0f79e93b8504b6b4a1c92dd08d32cd4362b9973a9f7dc577b753b15f0d543b9449f64d41d652607c
-
SSDEEP
49152:4K9pTJqY0xorwlsQRXh9e3rcpadXRZCq3PPK5/AQEiNT18Nnb+vE:4KLvZrAjX/rdlpLk+8
Malware Config
Extracted
redline
250723_rc_11
rcam25.tuktuk.ug:11290
-
auth_value
e4d5022e8271228547a5ac6b68c29a07
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NA_1ed33d760f151b33b3d20bf9e_JC.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepod.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NA_1ed33d760f151b33b3d20bf9e_JC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NA_1ed33d760f151b33b3d20bf9e_JC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe -
Executes dropped EXE 2 IoCs
pid Process 2960 Notepod.exe 2452 ntlhost.exe -
resource yara_rule behavioral2/memory/3332-144-0x0000000000DD0000-0x0000000001482000-memory.dmp themida behavioral2/memory/3332-180-0x0000000000DD0000-0x0000000001482000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NA_1ed33d760f151b33b3d20bf9e_JC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepod.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 2960 Notepod.exe 2452 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3332 set thread context of 4320 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 92 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 44 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 4320 AppLaunch.exe 4320 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe Token: SeDebugPrivilege 4320 AppLaunch.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3332 wrote to memory of 4320 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 92 PID 3332 wrote to memory of 4320 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 92 PID 3332 wrote to memory of 4320 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 92 PID 3332 wrote to memory of 4320 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 92 PID 3332 wrote to memory of 4320 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 92 PID 3332 wrote to memory of 4320 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 92 PID 3332 wrote to memory of 4320 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 92 PID 3332 wrote to memory of 4320 3332 NA_1ed33d760f151b33b3d20bf9e_JC.exe 92 PID 4320 wrote to memory of 2960 4320 AppLaunch.exe 94 PID 4320 wrote to memory of 2960 4320 AppLaunch.exe 94 PID 2960 wrote to memory of 2452 2960 Notepod.exe 96 PID 2960 wrote to memory of 2452 2960 Notepod.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe"C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2452
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
663.8MB
MD59f0befb01d77d751bfb27fd520cbffea
SHA1c49489a5780f9315aefe698f801b78f114e9bd69
SHA256cebc9aef1a03d8b4d6ae39651f5e2d4eabfccaf5d514a0f633bb00ca24e3b3e9
SHA512856132bb5d65583dc92ba15081a7187b50eabda21c598fa6a97ab0f2a83137300777e6da7fc33c4dec15c5420250854b2a6f076fcda706895146ce8ba377550f
-
Filesize
659.6MB
MD562b4664f8063c068e052fa5766605dd4
SHA1882236f7263d971659481cf7987d443007389721
SHA256c359022559dde1cce30733ab1940e7fdbfa240e3bc179f4a137668c317066109
SHA512c482cce7fe4cbac458cbf3590544cf83379a3b0818206747958b46db8cbe6ed9cf7a7ecb69b370bd1f77ce6141ee21deae43efa2d574216cf6569d2f5b3f870c