Analysis
-
max time kernel
141s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 05:46
Behavioral task
behavioral1
Sample
WhatsApp/WhatsApp.exe
Resource
win7-20241010-en
General
-
Target
WhatsApp/WhatsApp.exe
-
Size
700.0MB
-
MD5
76e4e31dd3e40ac6790c83fa48419a55
-
SHA1
f42363c9ca8325a47efd4f01f177702433d78ff8
-
SHA256
661d2ed323c8703a7466774162972254589be4ab04abd6067d70ab44bc70d978
-
SHA512
78ae771f67d5c1c66d2e8ffc1f3dd398b6cd87c6ee813e6108e0f0c8cdfb8cd656c82d3ec4fff7b9d9f84c31e0cfd00b613150bb6eb22ad942c00a5aed379b8e
-
SSDEEP
98304:NCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJP:N2qM+idivVNKbZfREVtc0PJP
Malware Config
Extracted
redline
ws-19
38.91.100.57:32750
-
auth_value
b8974207e31b05e60d39e04eba8eeb0b
Signatures
-
Detect ZGRat V2 1 IoCs
resource yara_rule behavioral2/memory/4512-3-0x00000000059E0000-0x0000000005A96000-memory.dmp family_zgrat_v2 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3148-33-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Redline family
-
Zgrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WhatsApp.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/4512-1-0x0000000000C40000-0x0000000001036000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4512 set thread context of 3148 4512 WhatsApp.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WhatsApp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2984 powershell.exe 2984 powershell.exe 4512 WhatsApp.exe 4512 WhatsApp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 4512 WhatsApp.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4512 wrote to memory of 2984 4512 WhatsApp.exe 89 PID 4512 wrote to memory of 2984 4512 WhatsApp.exe 89 PID 4512 wrote to memory of 2984 4512 WhatsApp.exe 89 PID 4512 wrote to memory of 3148 4512 WhatsApp.exe 95 PID 4512 wrote to memory of 3148 4512 WhatsApp.exe 95 PID 4512 wrote to memory of 3148 4512 WhatsApp.exe 95 PID 4512 wrote to memory of 3148 4512 WhatsApp.exe 95 PID 4512 wrote to memory of 3148 4512 WhatsApp.exe 95 PID 4512 wrote to memory of 3148 4512 WhatsApp.exe 95 PID 4512 wrote to memory of 3148 4512 WhatsApp.exe 95 PID 4512 wrote to memory of 3148 4512 WhatsApp.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe"C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- System Location Discovery: System Language Discovery
PID:3148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82