Analysis
-
max time kernel
155s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 05:46
Behavioral task
behavioral1
Sample
WhatsApp/WhatsApp.exe
Resource
win7-20241010-en
General
-
Target
WhatsApp/WhatsApp.exe
-
Size
700.0MB
-
MD5
76e4e31dd3e40ac6790c83fa48419a55
-
SHA1
f42363c9ca8325a47efd4f01f177702433d78ff8
-
SHA256
661d2ed323c8703a7466774162972254589be4ab04abd6067d70ab44bc70d978
-
SHA512
78ae771f67d5c1c66d2e8ffc1f3dd398b6cd87c6ee813e6108e0f0c8cdfb8cd656c82d3ec4fff7b9d9f84c31e0cfd00b613150bb6eb22ad942c00a5aed379b8e
-
SSDEEP
98304:NCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJP:N2qM+idivVNKbZfREVtc0PJP
Malware Config
Extracted
redline
ws-19
38.91.100.57:32750
-
auth_value
b8974207e31b05e60d39e04eba8eeb0b
Signatures
-
Detect ZGRat V2 1 IoCs
resource yara_rule behavioral1/memory/2808-3-0x0000000002200000-0x00000000022B6000-memory.dmp family_zgrat_v2 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/612-20-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/612-17-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/612-15-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/612-23-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/612-21-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Redline family
-
Zgrat family
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2808-1-0x0000000000870000-0x0000000000C66000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2808 set thread context of 612 2808 WhatsApp.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WhatsApp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2848 powershell.exe 2808 WhatsApp.exe 2808 WhatsApp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2808 WhatsApp.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2848 2808 WhatsApp.exe 30 PID 2808 wrote to memory of 2848 2808 WhatsApp.exe 30 PID 2808 wrote to memory of 2848 2808 WhatsApp.exe 30 PID 2808 wrote to memory of 2848 2808 WhatsApp.exe 30 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32 PID 2808 wrote to memory of 612 2808 WhatsApp.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe"C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- System Location Discovery: System Language Discovery
PID:612
-