Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2023 14:27
Behavioral task
behavioral1
Sample
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe
-
Size
2.8MB
-
MD5
1d156981b23a1531d4e6449c95ec6c9f
-
SHA1
98c264b55efdd118215190955d3a6372e4497330
-
SHA256
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e
-
SHA512
c2cc592a3b4aef17e1a6882f97e36bc3cc257b6c83b21cc72bd92cf45ff48c5de45c22c34352a10bf3fc66a884dfb8fec007781561be88e9071d6a2433f91a2d
-
SSDEEP
49152:OS6hBcbHH6ORsof+ZymfCvKa+nxzsA/y8aiPRmN6VLvOjwsDxA:OS+BcHaORvmZJfdxIA/y83PcNcLvSwsi
Malware Config
Extracted
redline
300723_rc
rc3007.tuktuk.ug:11290
-
auth_value
ce139e531e6dc9a5397038679a0625d3
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3504 Notepod.exe 3516 ntlhost.exe -
resource yara_rule behavioral2/memory/4844-143-0x00000000007C0000-0x0000000000E64000-memory.dmp themida behavioral2/memory/4844-181-0x00000000007C0000-0x0000000000E64000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 3504 Notepod.exe 3516 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4844 set thread context of 856 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 92 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 42 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 856 AppLaunch.exe 856 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe Token: SeDebugPrivilege 856 AppLaunch.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4844 wrote to memory of 856 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 92 PID 4844 wrote to memory of 856 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 92 PID 4844 wrote to memory of 856 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 92 PID 4844 wrote to memory of 856 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 92 PID 4844 wrote to memory of 856 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 92 PID 4844 wrote to memory of 856 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 92 PID 4844 wrote to memory of 856 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 92 PID 4844 wrote to memory of 856 4844 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe 92 PID 856 wrote to memory of 3504 856 AppLaunch.exe 95 PID 856 wrote to memory of 3504 856 AppLaunch.exe 95 PID 3504 wrote to memory of 3516 3504 Notepod.exe 96 PID 3504 wrote to memory of 3516 3504 Notepod.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5eexe_JC.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3516
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
517.5MB
MD5f7ed847450ee312167ca641281f0e4cf
SHA1ad9761e90de7dfff97f8d5e70484df2bf864898b
SHA2568171aef1dc82403c154ab99c2d95afca44d07f4678c9325b7a47f3efd41b7313
SHA512bfb34cf55f964639f72ee1128885a511286f3a90d258d74b4d0950dde8d432203f256cf7c8fbc97b0be94e412232627401c36e8e43303f14d245649e993cf008
-
Filesize
513.1MB
MD51ce984e6c0c12a63475169ceabf793df
SHA1e36605eb6af7648ee20d6a0bb37f0c693b207441
SHA2562951805fc76eaae60fb684933cee28b49b75da9fd3cc5c0a444bea7850108ed4
SHA512fe1f7049cd8b3ca7e66a2641b8244ff113adb1d95d11ba598d24a4c8242c865edd0fad2b184338d7a1b59499f1cd249a1ea0c67ab5a1c29b92586092725ea048