Analysis
-
max time kernel
276s -
max time network
287s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
30-07-2023 23:19
Behavioral task
behavioral1
Sample
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe
Resource
win7-20230712-en
General
-
Target
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe
-
Size
2.8MB
-
MD5
1d156981b23a1531d4e6449c95ec6c9f
-
SHA1
98c264b55efdd118215190955d3a6372e4497330
-
SHA256
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e
-
SHA512
c2cc592a3b4aef17e1a6882f97e36bc3cc257b6c83b21cc72bd92cf45ff48c5de45c22c34352a10bf3fc66a884dfb8fec007781561be88e9071d6a2433f91a2d
-
SSDEEP
49152:OS6hBcbHH6ORsof+ZymfCvKa+nxzsA/y8aiPRmN6VLvOjwsDxA:OS+BcHaORvmZJfdxIA/y83PcNcLvSwsi
Malware Config
Extracted
redline
300723_rc
rc3007.tuktuk.ug:11290
-
auth_value
ce139e531e6dc9a5397038679a0625d3
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
Detects DLL dropped by Raspberry Robin. 1 IoCs
Raspberry Robin.
resource yara_rule behavioral1/memory/2636-110-0x0000000075030000-0x0000000075140000-memory.dmp Raspberry_Robin_DLL_MAY_2022 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepod.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepod.exe -
Executes dropped EXE 2 IoCs
pid Process 988 Notepod.exe 1036 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2980 AppLaunch.exe 988 Notepod.exe -
resource yara_rule behavioral1/memory/2636-66-0x0000000000F60000-0x0000000001604000-memory.dmp themida behavioral1/memory/2636-113-0x0000000000F60000-0x0000000001604000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepod.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 988 Notepod.exe 1036 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2636 set thread context of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 6 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 2980 AppLaunch.exe 2980 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe Token: SeDebugPrivilege 2980 AppLaunch.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2636 wrote to memory of 2980 2636 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 28 PID 2980 wrote to memory of 988 2980 AppLaunch.exe 32 PID 2980 wrote to memory of 988 2980 AppLaunch.exe 32 PID 2980 wrote to memory of 988 2980 AppLaunch.exe 32 PID 2980 wrote to memory of 988 2980 AppLaunch.exe 32 PID 988 wrote to memory of 1036 988 Notepod.exe 33 PID 988 wrote to memory of 1036 988 Notepod.exe 33 PID 988 wrote to memory of 1036 988 Notepod.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1036
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
758.1MB
MD50a56cc6f5a6214db21e504f27c26cb9c
SHA1cfd262b4dca501fc6936d2f10d3529e1d0b10e09
SHA256eae46b93dbc67f48f588834dfa4547557644debffd676dccacc91de83cf494f7
SHA5121ce1baa1b25e8bce4956182a2b0ad68235ce6de474e61f565b17fe6c71315873e0f2e5e0a37be6ce187fc096948c93ee16d8c1dd08e24aab1ccf0bb9bd99ef0d
-
Filesize
758.1MB
MD50a56cc6f5a6214db21e504f27c26cb9c
SHA1cfd262b4dca501fc6936d2f10d3529e1d0b10e09
SHA256eae46b93dbc67f48f588834dfa4547557644debffd676dccacc91de83cf494f7
SHA5121ce1baa1b25e8bce4956182a2b0ad68235ce6de474e61f565b17fe6c71315873e0f2e5e0a37be6ce187fc096948c93ee16d8c1dd08e24aab1ccf0bb9bd99ef0d
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
758.1MB
MD50a56cc6f5a6214db21e504f27c26cb9c
SHA1cfd262b4dca501fc6936d2f10d3529e1d0b10e09
SHA256eae46b93dbc67f48f588834dfa4547557644debffd676dccacc91de83cf494f7
SHA5121ce1baa1b25e8bce4956182a2b0ad68235ce6de474e61f565b17fe6c71315873e0f2e5e0a37be6ce187fc096948c93ee16d8c1dd08e24aab1ccf0bb9bd99ef0d