Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2023 12:15
General
-
Target
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe
-
Size
2.8MB
-
MD5
1d156981b23a1531d4e6449c95ec6c9f
-
SHA1
98c264b55efdd118215190955d3a6372e4497330
-
SHA256
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e
-
SHA512
c2cc592a3b4aef17e1a6882f97e36bc3cc257b6c83b21cc72bd92cf45ff48c5de45c22c34352a10bf3fc66a884dfb8fec007781561be88e9071d6a2433f91a2d
-
SSDEEP
49152:OS6hBcbHH6ORsof+ZymfCvKa+nxzsA/y8aiPRmN6VLvOjwsDxA:OS+BcHaORvmZJfdxIA/y83PcNcLvSwsi
Malware Config
Extracted
redline
300723_rc
rc3007.tuktuk.ug:11290
-
auth_value
ce139e531e6dc9a5397038679a0625d3
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepod.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepod.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe -
Executes dropped EXE 2 IoCs
pid Process 4100 Notepod.exe 2232 ntlhost.exe -
resource yara_rule behavioral1/memory/1884-143-0x0000000000AD0000-0x0000000001174000-memory.dmp themida behavioral1/memory/1884-180-0x0000000000AD0000-0x0000000001174000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepod.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 4100 Notepod.exe 2232 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1884 set thread context of 1368 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 93 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 73 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 1368 AppLaunch.exe 1368 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe Token: SeDebugPrivilege 1368 AppLaunch.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1884 wrote to memory of 5040 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 92 PID 1884 wrote to memory of 5040 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 92 PID 1884 wrote to memory of 5040 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 92 PID 1884 wrote to memory of 1368 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 93 PID 1884 wrote to memory of 1368 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 93 PID 1884 wrote to memory of 1368 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 93 PID 1884 wrote to memory of 1368 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 93 PID 1884 wrote to memory of 1368 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 93 PID 1884 wrote to memory of 1368 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 93 PID 1884 wrote to memory of 1368 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 93 PID 1884 wrote to memory of 1368 1884 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe 93 PID 1368 wrote to memory of 4100 1368 AppLaunch.exe 95 PID 1368 wrote to memory of 4100 1368 AppLaunch.exe 95 PID 4100 wrote to memory of 2232 4100 Notepod.exe 97 PID 4100 wrote to memory of 2232 4100 Notepod.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:5040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2232
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
715.1MB
MD535d5fd2785fbed0c5f1bb13c9e66fa9d
SHA1ce1d2035def13bb5d8b0a5a90ce09ac0a71f557a
SHA256eaf33ae6b97334c4aff43aeb43014f231eac0ac911915334f99c90da1bb0a418
SHA51282a7b1d8329076956f503742d4ced67e83ed7fc048ef51d535933ab061db5b473e202d06ddd19072300ea7454a5cf753f4d3670ee53a53f6a0ed61dc675379c7
-
Filesize
715.1MB
MD535d5fd2785fbed0c5f1bb13c9e66fa9d
SHA1ce1d2035def13bb5d8b0a5a90ce09ac0a71f557a
SHA256eaf33ae6b97334c4aff43aeb43014f231eac0ac911915334f99c90da1bb0a418
SHA51282a7b1d8329076956f503742d4ced67e83ed7fc048ef51d535933ab061db5b473e202d06ddd19072300ea7454a5cf753f4d3670ee53a53f6a0ed61dc675379c7