Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2023 01:19
Behavioral task
behavioral1
Sample
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe
Resource
win10v2004-20230703-en
General
-
Target
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe
-
Size
2.8MB
-
MD5
6659f84db9582049c250a8343dbf9168
-
SHA1
e58b0d6a289be0a12f20587cf8945233a086a27e
-
SHA256
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
-
SHA512
f9c54bd609dd78d182652892747b22db4064401dc420677f0f79e93b8504b6b4a1c92dd08d32cd4362b9973a9f7dc577b753b15f0d543b9449f64d41d652607c
-
SSDEEP
49152:4K9pTJqY0xorwlsQRXh9e3rcpadXRZCq3PPK5/AQEiNT18Nnb+vE:4KLvZrAjX/rdlpLk+8
Malware Config
Extracted
redline
250723_rc_11
rcam25.tuktuk.ug:11290
-
auth_value
e4d5022e8271228547a5ac6b68c29a07
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepod.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe -
Executes dropped EXE 2 IoCs
pid Process 1108 Notepod.exe 3588 ntlhost.exe -
resource yara_rule behavioral2/memory/2824-143-0x0000000000AF0000-0x00000000011A2000-memory.dmp themida behavioral2/memory/2824-180-0x0000000000AF0000-0x00000000011A2000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepod.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 1108 Notepod.exe 3588 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2824 set thread context of 2400 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 92 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 43 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 2400 AppLaunch.exe 2400 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe Token: SeDebugPrivilege 2400 AppLaunch.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2400 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 92 PID 2824 wrote to memory of 2400 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 92 PID 2824 wrote to memory of 2400 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 92 PID 2824 wrote to memory of 2400 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 92 PID 2824 wrote to memory of 2400 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 92 PID 2824 wrote to memory of 2400 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 92 PID 2824 wrote to memory of 2400 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 92 PID 2824 wrote to memory of 2400 2824 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe 92 PID 2400 wrote to memory of 1108 2400 AppLaunch.exe 94 PID 2400 wrote to memory of 1108 2400 AppLaunch.exe 94 PID 1108 wrote to memory of 3588 1108 Notepod.exe 96 PID 1108 wrote to memory of 3588 1108 Notepod.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3588
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
3.1MB
MD518658dec7775fa53f081b892d6a2b027
SHA1fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA25617ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
Filesize
663.0MB
MD5c204e4a125c82174a9640979625855f5
SHA1952d1a895d3a626e2a58be090aa9a804e994f5ad
SHA2563ca1f895d6b7bdcd20effca1a2fe05822319813c07b6014cc7c95803ea7f87cf
SHA512aabda459a8ed48ae5580dd3d34b8bb0086a418fb104fef602c086e3910d739422ec44eea22df5e36f07ee84e3697aeaffb706e01ea3de7cab5c8ed4191a4ec8b
-
Filesize
670.9MB
MD57ba446f3be88d83446763d286930f5cc
SHA11aa6e0bfdc1d452db6a8c41775f216799f82295e
SHA2567edb8c0812a6521deeb02c00bbb3ad0e586274445372f5c9a7beabbfa3f0a161
SHA512f341451d5041fdc6c5fa2a4545f21f07d8c360aea9933387a9a5bce24d641ae3bbd7576a1d29ec66ea35b5973e2c0b8045784933277bb9454e1fa38cc24dea75