Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2023 10:11
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230703-en
General
-
Target
tmp.exe
-
Size
2.8MB
-
MD5
1d156981b23a1531d4e6449c95ec6c9f
-
SHA1
98c264b55efdd118215190955d3a6372e4497330
-
SHA256
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e
-
SHA512
c2cc592a3b4aef17e1a6882f97e36bc3cc257b6c83b21cc72bd92cf45ff48c5de45c22c34352a10bf3fc66a884dfb8fec007781561be88e9071d6a2433f91a2d
-
SSDEEP
49152:OS6hBcbHH6ORsof+ZymfCvKa+nxzsA/y8aiPRmN6VLvOjwsDxA:OS+BcHaORvmZJfdxIA/y83PcNcLvSwsi
Malware Config
Extracted
redline
300723_rc
rc3007.tuktuk.ug:11290
-
auth_value
ce139e531e6dc9a5397038679a0625d3
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4392 Notepod.exe 2772 ntlhost.exe -
resource yara_rule behavioral2/memory/4864-143-0x0000000000AB0000-0x0000000001154000-memory.dmp themida behavioral2/memory/4864-178-0x0000000000AB0000-0x0000000001154000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Notepod.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4864 tmp.exe 4392 Notepod.exe 2772 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4864 set thread context of 4812 4864 tmp.exe 92 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 65 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4864 tmp.exe 4864 tmp.exe 4812 AppLaunch.exe 4812 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4864 tmp.exe Token: SeDebugPrivilege 4812 AppLaunch.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4864 wrote to memory of 4812 4864 tmp.exe 92 PID 4864 wrote to memory of 4812 4864 tmp.exe 92 PID 4864 wrote to memory of 4812 4864 tmp.exe 92 PID 4864 wrote to memory of 4812 4864 tmp.exe 92 PID 4864 wrote to memory of 4812 4864 tmp.exe 92 PID 4864 wrote to memory of 4812 4864 tmp.exe 92 PID 4864 wrote to memory of 4812 4864 tmp.exe 92 PID 4864 wrote to memory of 4812 4864 tmp.exe 92 PID 4812 wrote to memory of 4392 4812 AppLaunch.exe 94 PID 4812 wrote to memory of 4392 4812 AppLaunch.exe 94 PID 4392 wrote to memory of 2772 4392 Notepod.exe 97 PID 4392 wrote to memory of 2772 4392 Notepod.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\Notepod.exe"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2772
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
4.1MB
MD5b30e29bccabab032c27910210d9ccf76
SHA1caa3927738b66c3ecc553943eabedcbbfbe4c0da
SHA256b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
SHA512ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
Filesize
747.9MB
MD525c747b00771ab94b5894d127a3031ee
SHA1f04d082da1884d3e432b70a094ecf6a8f675988a
SHA256cf0488f83fcc4324da6e4e63c20e5d8b2e0b5a80f7abc8264da03aca52ec2d86
SHA512453ac72d81ccc5104dc8e387a4fbc73522d5416d51ed59f8788a640b2ee6a4c471549f7f23fe8da7ea9587d0a02ced79733a88f64b963854bf63fb9a5bfe6edf
-
Filesize
752.1MB
MD5f1becdc3936f8e05a2deb9b9415b5bd1
SHA1944c9fc9d13572e01dddf1439d0e80d47ed1ea1e
SHA256b324e035bdab13ba097bb5d54c6996be4005d17f2d141397e589f27fefccb0bc
SHA51257a03101fdb2d62d7e6ed61c902960352c8f590d2fdac2384c23bb2ace7dff15b763e4c72f7fe369fddcc2f1d0945242968646a67538585210e5c8608a5b8f97