redline | d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

Analysis

max time kernel
149s
max time network
63s
platform
windows7_x64
resource
win7v20201028
submitted
12-01-2021 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.28229.exe
Size

883KB
MD5

64993cdc07881c3b1726f1bb8b15e6b2
SHA1

49d7bb6f1cc42e53be2968f04d6f320128ee28b8
SHA256

d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d
SHA512

da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Score

10^/10

redline discovery infostealer persistence spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1256-22-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1256-23-0x000000000041F51A-mapping.dmp	family_redline
behavioral1/memory/1256-25-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1256-26-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1768-50-0x000000000041F51A-mapping.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

smgo.exeInstallUtil.exeexplorre.exeexplorre.exeInstallUtil.exe

pid process

1676 smgo.exe
1256 InstallUtil.exe
1980 explorre.exe
1536 explorre.exe
1768 InstallUtil.exe
Loads dropped DLL 5 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.28229.exesmgo.exeexplorre.exe

pid process

1828 SecuriteInfo.com.FileRepMalware.28229.exe
1676 smgo.exe
1676 smgo.exe
1980 explorre.exe
1676 smgo.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1676	smgo.exe
1256	InstallUtil.exe
1980	explorre.exe
1536	explorre.exe
1768	InstallUtil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\trsd = "C:\\Users\\Admin\\smgo.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

smgo.exe

description	pid	process	target process
PID 1676 set thread context of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 set thread context of 1768	1676	smgo.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.28229.exesmgo.exeexplorre.exeexplorre.exeInstallUtil.exeInstallUtil.exe

pid	process
1828	SecuriteInfo.com.FileRepMalware.28229.exe
1828	SecuriteInfo.com.FileRepMalware.28229.exe
1828	SecuriteInfo.com.FileRepMalware.28229.exe
1828	SecuriteInfo.com.FileRepMalware.28229.exe
1828	SecuriteInfo.com.FileRepMalware.28229.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1980	explorre.exe
1536	explorre.exe
1536	explorre.exe
1536	explorre.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1256	InstallUtil.exe
1256	InstallUtil.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1768	InstallUtil.exe
1768	InstallUtil.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe
1676	smgo.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.28229.exesmgo.exeexplorre.exeexplorre.exeInstallUtil.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1828	SecuriteInfo.com.FileRepMalware.28229.exe
Token: SeDebugPrivilege	1676	smgo.exe
Token: SeDebugPrivilege	1980	explorre.exe
Token: SeDebugPrivilege	1536	explorre.exe
Token: SeDebugPrivilege	1256	InstallUtil.exe
Token: SeDebugPrivilege	1768	InstallUtil.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.28229.execmd.exesmgo.exeexplorre.exe

description	pid	process	target process
PID 1828 wrote to memory of 332	1828	SecuriteInfo.com.FileRepMalware.28229.exe	cmd.exe
PID 1828 wrote to memory of 332	1828	SecuriteInfo.com.FileRepMalware.28229.exe	cmd.exe
PID 1828 wrote to memory of 332	1828	SecuriteInfo.com.FileRepMalware.28229.exe	cmd.exe
PID 1828 wrote to memory of 332	1828	SecuriteInfo.com.FileRepMalware.28229.exe	cmd.exe
PID 332 wrote to memory of 300	332	cmd.exe	reg.exe
PID 332 wrote to memory of 300	332	cmd.exe	reg.exe
PID 332 wrote to memory of 300	332	cmd.exe	reg.exe
PID 332 wrote to memory of 300	332	cmd.exe	reg.exe
PID 1828 wrote to memory of 1676	1828	SecuriteInfo.com.FileRepMalware.28229.exe	smgo.exe
PID 1828 wrote to memory of 1676	1828	SecuriteInfo.com.FileRepMalware.28229.exe	smgo.exe
PID 1828 wrote to memory of 1676	1828	SecuriteInfo.com.FileRepMalware.28229.exe	smgo.exe
PID 1828 wrote to memory of 1676	1828	SecuriteInfo.com.FileRepMalware.28229.exe	smgo.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1256	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1980	1676	smgo.exe	explorre.exe
PID 1676 wrote to memory of 1980	1676	smgo.exe	explorre.exe
PID 1676 wrote to memory of 1980	1676	smgo.exe	explorre.exe
PID 1676 wrote to memory of 1980	1676	smgo.exe	explorre.exe
PID 1980 wrote to memory of 1536	1980	explorre.exe	explorre.exe
PID 1980 wrote to memory of 1536	1980	explorre.exe	explorre.exe
PID 1980 wrote to memory of 1536	1980	explorre.exe	explorre.exe
PID 1980 wrote to memory of 1536	1980	explorre.exe	explorre.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe
PID 1676 wrote to memory of 1768	1676	smgo.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.28229.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.28229.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "trsd" /t REG_SZ /d "C:\Users\Admin\smgo.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "trsd" /t REG_SZ /d "C:\Users\Admin\smgo.exe"
3⤵
- Adds Run key to start application
PID:300

C:\Users\Admin\smgo.exe
"C:\Users\Admin\smgo.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Users\Admin\AppData\Local\Temp\explorre.exe
"C:\Users\Admin\AppData\Local\Temp\explorre.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\explorre.exe
"C:\Users\Admin\AppData\Local\Temp\explorre.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
f03dad75f3141bda60a3d2514d792576

SHA1
a7d37f8fdec116ef8d07d241fafe577449dd68c5

SHA256
d22ea88cd7a83bbef1ae5421d9ffd5e57615addc09f05de0bb77fc9e5cbcd154

SHA512
558853fdbe6a36e3870fa02f94160426598d494469ec6bdae7c532284a779f4bf298a72911a9aabfbcc56fdbd7417336d2126b907b6f93a20999bdb72d69f4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
c2e1ae0b06dc5176b9ef50b1d694836b

SHA1
fbc09e38de74a2089e26576296f312467dfb1173

SHA256
b6ae267540772cbb281dc6f6015fe3c4734121da6c2b215ec92639128241f54f

SHA512
ec27eaa1b956a0aedba56d2f3f0204a29feb4e3f039e1fb958ea2df0a7a2ab40153daba74bb08a08df4705f0ec12f5f14adecffb13bd5bb6d72ab1a50417896a

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
c2e1ae0b06dc5176b9ef50b1d694836b

SHA1
fbc09e38de74a2089e26576296f312467dfb1173

SHA256
b6ae267540772cbb281dc6f6015fe3c4734121da6c2b215ec92639128241f54f

SHA512
ec27eaa1b956a0aedba56d2f3f0204a29feb4e3f039e1fb958ea2df0a7a2ab40153daba74bb08a08df4705f0ec12f5f14adecffb13bd5bb6d72ab1a50417896a

Download Submit
C:\Users\Admin\smgo.exe

MD5
64993cdc07881c3b1726f1bb8b15e6b2

SHA1
49d7bb6f1cc42e53be2968f04d6f320128ee28b8

SHA256
d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

SHA512
da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Download Submit
C:\Users\Admin\smgo.exe

MD5
64993cdc07881c3b1726f1bb8b15e6b2

SHA1
49d7bb6f1cc42e53be2968f04d6f320128ee28b8

SHA256
d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

SHA512
da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\smgo.exe

MD5
64993cdc07881c3b1726f1bb8b15e6b2

SHA1
49d7bb6f1cc42e53be2968f04d6f320128ee28b8

SHA256
d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

SHA512
da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Download Submit
memory/300-8-0x0000000000000000-mapping.dmp

Download
memory/332-7-0x0000000000000000-mapping.dmp

Download
memory/1256-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1256-23-0x000000000041F51A-mapping.dmp

Download
memory/1256-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1256-26-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1256-27-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1536-41-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1536-39-0x0000000000000000-mapping.dmp

Download
memory/1676-14-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1676-18-0x00000000005D0000-0x00000000005DB000-memory.dmp

Filesize
44KB

Download
memory/1676-10-0x0000000000000000-mapping.dmp

Download
memory/1676-13-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1676-19-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1768-54-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1768-50-0x000000000041F51A-mapping.dmp

Download
memory/1828-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1828-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1828-5-0x0000000000380000-0x000000000039E000-memory.dmp

Filesize
120KB

Download
memory/1828-3-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1980-35-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/1980-34-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-31-0x0000000000000000-mapping.dmp

Download