Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03-09-2023 09:29
Behavioral task
behavioral1
Sample
JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe
Resource
win7-20230831-en
General
-
Target
JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe
-
Size
6.6MB
-
MD5
c95b05b54c227d7a5715b452975141c6
-
SHA1
02c63c6b8e0ae4d232cbee2348d6a43a5e015a3c
-
SHA256
1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d
-
SHA512
8516e5ef329bff892d361fa9ffe2e14730ed2a4341a21051779cf0b1793eaebd6e456ff9dd79ae3dc276e21da9968c283b07ea684a0546a03427660f862d6f4b
-
SSDEEP
196608:PDHuu55eRkhK6fQ3rGWhF4V1CB7fFZrVhAAGmpDZRkEXafPD:rOuqio6fcrniarFbf1PaPD
Malware Config
Extracted
amadey
3.88
5.42.64.33/vu3skClDn/index.php
-
install_dir
0ac15cf625
-
install_file
yiueea.exe
-
strings_key
23e63d80d583519d75db46f354137051
Extracted
redline
010923
happy1sept.tuktuk.ug:11290
-
auth_value
8338bf26f599326ee45afe9d54f7ef8e
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ winlog.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion winlog.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion winlog.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe -
Executes dropped EXE 5 IoCs
pid Process 1356 taskhost.exe 2536 winlog.exe 3012 taskhost.exe 1600 taskhost.exe 1344 ntlhost.exe -
Loads dropped DLL 5 IoCs
pid Process 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 1356 taskhost.exe 1356 taskhost.exe 2536 winlog.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3032-3-0x00000000012B0000-0x0000000001D1C000-memory.dmp vmprotect behavioral1/memory/3032-6-0x00000000012B0000-0x0000000001D1C000-memory.dmp vmprotect behavioral1/memory/3032-50-0x00000000012B0000-0x0000000001D1C000-memory.dmp vmprotect behavioral1/memory/1124-170-0x00000000012B0000-0x0000000001D1C000-memory.dmp vmprotect behavioral1/memory/1124-175-0x00000000012B0000-0x0000000001D1C000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" winlog.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2536 winlog.exe 1344 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1356 set thread context of 1600 1356 taskhost.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe -
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 15 Go-http-client/1.1 HTTP User-Agent header 16 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 1356 taskhost.exe 1356 taskhost.exe 1600 taskhost.exe 1124 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 1600 taskhost.exe 1600 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1356 taskhost.exe Token: SeDebugPrivilege 1600 taskhost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2664 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 28 PID 3032 wrote to memory of 2664 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 28 PID 3032 wrote to memory of 2664 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 28 PID 3032 wrote to memory of 2664 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 28 PID 3032 wrote to memory of 1356 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 30 PID 3032 wrote to memory of 1356 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 30 PID 3032 wrote to memory of 1356 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 30 PID 3032 wrote to memory of 1356 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 30 PID 3032 wrote to memory of 2536 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 32 PID 3032 wrote to memory of 2536 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 32 PID 3032 wrote to memory of 2536 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 32 PID 3032 wrote to memory of 2536 3032 JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe 32 PID 1356 wrote to memory of 3012 1356 taskhost.exe 33 PID 1356 wrote to memory of 3012 1356 taskhost.exe 33 PID 1356 wrote to memory of 3012 1356 taskhost.exe 33 PID 1356 wrote to memory of 3012 1356 taskhost.exe 33 PID 1356 wrote to memory of 1600 1356 taskhost.exe 34 PID 1356 wrote to memory of 1600 1356 taskhost.exe 34 PID 1356 wrote to memory of 1600 1356 taskhost.exe 34 PID 1356 wrote to memory of 1600 1356 taskhost.exe 34 PID 1356 wrote to memory of 1600 1356 taskhost.exe 34 PID 1356 wrote to memory of 1600 1356 taskhost.exe 34 PID 1356 wrote to memory of 1600 1356 taskhost.exe 34 PID 1356 wrote to memory of 1600 1356 taskhost.exe 34 PID 1356 wrote to memory of 1600 1356 taskhost.exe 34 PID 2536 wrote to memory of 1344 2536 winlog.exe 35 PID 2536 wrote to memory of 1344 2536 winlog.exe 35 PID 2536 wrote to memory of 1344 2536 winlog.exe 35 PID 2940 wrote to memory of 1124 2940 taskeng.exe 38 PID 2940 wrote to memory of 1124 2940 taskeng.exe 38 PID 2940 wrote to memory of 1124 2940 taskeng.exe 38 PID 2940 wrote to memory of 1124 2940 taskeng.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe"C:\Users\Admin\AppData\Local\Temp\JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe /TR "C:\Users\Admin\AppData\Local\Temp\JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe" /F2⤵
- Creates scheduled task(s)
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe"3⤵
- Executes dropped EXE
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe"C:\Users\Admin\AppData\Local\Temp\1000499001\winlog.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1344
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {01AFFECE-22FD-4E0C-9C34-ECFC4F8E8DDB} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exeC:\Users\Admin\AppData\Local\Temp\JC_1c70dce1db7e359c792d1ecc02164baa8e0ddf73e05a769e9c34a3cc2819916d.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
3.5MB
MD5062fe47e8efc9041880ed273eda7c8f3
SHA1b77fffa5fce64689758a7180477ffa25bd62f509
SHA256589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
SHA51267a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80
-
Filesize
3.5MB
MD5062fe47e8efc9041880ed273eda7c8f3
SHA1b77fffa5fce64689758a7180477ffa25bd62f509
SHA256589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
SHA51267a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80
-
Filesize
3.5MB
MD5062fe47e8efc9041880ed273eda7c8f3
SHA1b77fffa5fce64689758a7180477ffa25bd62f509
SHA256589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
SHA51267a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80
-
Filesize
792.5MB
MD5d15a57940acb24603e643672b038557a
SHA1ebae96e864f92ee617b2be0a93924513471dee32
SHA2568b484640e1ef2f02cc1a2de64aa7985775c3a330e41cf1ff42407aeb3cb6f57e
SHA5124424a62b0026534bc4edbf56be6182abad57312559f2409c553dce74f09c837069d1e885dc6435a93f20752c080984312ac79d7c8f4411eccf453f5e4d9e4ab7
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
1.7MB
MD5d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA18c13c02fcbb52cf0476aa8ed046f75d0371883dc
SHA25671cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA51262ab3966f3c0061ad81d96dbd3efd222816fdd56e497891e2fa0088e540c333aa6745dcd41e722d6b6d8a92a37c032c83b3e987cc1ecc99b64a6d34438002a8d
-
Filesize
3.5MB
MD5062fe47e8efc9041880ed273eda7c8f3
SHA1b77fffa5fce64689758a7180477ffa25bd62f509
SHA256589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
SHA51267a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80
-
Filesize
792.5MB
MD5d15a57940acb24603e643672b038557a
SHA1ebae96e864f92ee617b2be0a93924513471dee32
SHA2568b484640e1ef2f02cc1a2de64aa7985775c3a330e41cf1ff42407aeb3cb6f57e
SHA5124424a62b0026534bc4edbf56be6182abad57312559f2409c553dce74f09c837069d1e885dc6435a93f20752c080984312ac79d7c8f4411eccf453f5e4d9e4ab7