Analysis
-
max time kernel
117s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
01-08-2023 14:27
Behavioral task
behavioral1
Sample
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe
-
Size
2.8MB
-
MD5
1d156981b23a1531d4e6449c95ec6c9f
-
SHA1
98c264b55efdd118215190955d3a6372e4497330
-
SHA256
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e
-
SHA512
c2cc592a3b4aef17e1a6882f97e36bc3cc257b6c83b21cc72bd92cf45ff48c5de45c22c34352a10bf3fc66a884dfb8fec007781561be88e9071d6a2433f91a2d
-
SSDEEP
49152:OS6hBcbHH6ORsof+ZymfCvKa+nxzsA/y8aiPRmN6VLvOjwsDxA:OS+BcHaORvmZJfdxIA/y83PcNcLvSwsi
Malware Config
Extracted
redline
300723_rc
rc3007.tuktuk.ug:11290
-
auth_value
ce139e531e6dc9a5397038679a0625d3
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1100 Notepod.exe 1988 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2836 AppLaunch.exe 1100 Notepod.exe -
resource yara_rule behavioral1/memory/2016-63-0x0000000000010000-0x00000000006B4000-memory.dmp themida behavioral1/memory/2016-106-0x0000000000010000-0x00000000006B4000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 1100 Notepod.exe 1988 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2016 set thread context of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 6 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 2836 AppLaunch.exe 2836 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe Token: SeDebugPrivilege 2836 AppLaunch.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2016 wrote to memory of 2836 2016 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 28 PID 2836 wrote to memory of 1100 2836 AppLaunch.exe 32 PID 2836 wrote to memory of 1100 2836 AppLaunch.exe 32 PID 2836 wrote to memory of 1100 2836 AppLaunch.exe 32 PID 2836 wrote to memory of 1100 2836 AppLaunch.exe 32 PID 1100 wrote to memory of 1988 1100 Notepod.exe 33 PID 1100 wrote to memory of 1988 1100 Notepod.exe 33 PID 1100 wrote to memory of 1988 1100 Notepod.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1988
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
61.9MB
MD51e5676f77b996fd6a8927b4d0398ff23
SHA13b8208c8d5b4abc7bf04631def871e5d34496766
SHA25645236eb7d0905ebb55970293104b821bccf67a55c4ad5e8e8b21b72d497a051b
SHA512d1f5bc7ceb702081738ba0bc3d050e9e17c8d743f275bc3ac2711fe73d37951971ed76a1597c98b0cb1b205787e37fb494e6f4a861d15e2a25abf4bf79007df1
-
Filesize
63.6MB
MD55551def12056fd40462b1249399c9366
SHA17eed68ca127436fd6fbbae1cab5a8df27cdc404d
SHA2560169fa3e464fbf7e7d116d8c10b8a6fdea8421d18671792945b74e375834aab9
SHA512d9c9efd2a0c048a88b2a8c733d57d4216413bc4623b6670cfb3852e8806a25ff79181c8b0bf37c8890ded2172c48512deb16792893523455a001080264f4e8da
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
62.8MB
MD5502bea4159626b5bacfd5c26357a9c26
SHA106606f30f3c5aee514bd48833640b716570e79ea
SHA2569f28605bca758ceb642a54b2cfb98585b8f77207c95e9844f44b684906828595
SHA512aa08156e102d49636fd8a51c1d67748d3c8c243cfbfba8720dc6a35c4a3b03a1776b82fc0efa0678f32732493eb1b62ef0060cec38be1867e0b8e4dacd785746