redline | d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

Analysis

max time kernel
148s
max time network
115s
platform
windows10_x64
resource
win10v20201028
submitted
12-01-2021 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.28229.exe
Size

883KB
MD5

64993cdc07881c3b1726f1bb8b15e6b2
SHA1

49d7bb6f1cc42e53be2968f04d6f320128ee28b8
SHA256

d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d
SHA512

da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Score

10^/10

redline discovery infostealer persistence spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1592-23-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/1592-24-0x000000000041F51A-mapping.dmp	family_redline
behavioral2/memory/564-64-0x000000000041F51A-mapping.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

smgo.exeInstallUtil.exeexplorre.exeexplorre.exeInstallUtil.exe

pid process

4000 smgo.exe
1592 InstallUtil.exe
732 explorre.exe
2888 explorre.exe
564 InstallUtil.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4000	smgo.exe
1592	InstallUtil.exe
732	explorre.exe
2888	explorre.exe
564	InstallUtil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\trsd = "C:\\Users\\Admin\\smgo.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

smgo.exe

description	pid	process	target process
PID 4000 set thread context of 1592	4000	smgo.exe	InstallUtil.exe
PID 4000 set thread context of 564	4000	smgo.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.28229.exesmgo.exeexplorre.exeexplorre.exeInstallUtil.exeInstallUtil.exe

pid	process
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4076	SecuriteInfo.com.FileRepMalware.28229.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
732	explorre.exe
2888	explorre.exe
2888	explorre.exe
2888	explorre.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
1592	InstallUtil.exe
1592	InstallUtil.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
564	InstallUtil.exe
564	InstallUtil.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe
4000	smgo.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.28229.exesmgo.exeexplorre.exeexplorre.exeInstallUtil.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4076	SecuriteInfo.com.FileRepMalware.28229.exe
Token: SeDebugPrivilege	4000	smgo.exe
Token: SeDebugPrivilege	732	explorre.exe
Token: SeDebugPrivilege	2888	explorre.exe
Token: SeDebugPrivilege	1592	InstallUtil.exe
Token: SeDebugPrivilege	564	InstallUtil.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.28229.execmd.exesmgo.exeexplorre.exe

description	pid	process	target process
PID 4076 wrote to memory of 3984	4076	SecuriteInfo.com.FileRepMalware.28229.exe	cmd.exe
PID 4076 wrote to memory of 3984	4076	SecuriteInfo.com.FileRepMalware.28229.exe	cmd.exe
PID 4076 wrote to memory of 3984	4076	SecuriteInfo.com.FileRepMalware.28229.exe	cmd.exe
PID 3984 wrote to memory of 3908	3984	cmd.exe	reg.exe
PID 3984 wrote to memory of 3908	3984	cmd.exe	reg.exe
PID 3984 wrote to memory of 3908	3984	cmd.exe	reg.exe
PID 4076 wrote to memory of 4000	4076	SecuriteInfo.com.FileRepMalware.28229.exe	smgo.exe
PID 4076 wrote to memory of 4000	4076	SecuriteInfo.com.FileRepMalware.28229.exe	smgo.exe
PID 4076 wrote to memory of 4000	4076	SecuriteInfo.com.FileRepMalware.28229.exe	smgo.exe
PID 4000 wrote to memory of 1592	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 1592	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 1592	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 1592	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 1592	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 1592	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 1592	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 1592	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 732	4000	smgo.exe	explorre.exe
PID 4000 wrote to memory of 732	4000	smgo.exe	explorre.exe
PID 4000 wrote to memory of 732	4000	smgo.exe	explorre.exe
PID 732 wrote to memory of 2888	732	explorre.exe	explorre.exe
PID 732 wrote to memory of 2888	732	explorre.exe	explorre.exe
PID 732 wrote to memory of 2888	732	explorre.exe	explorre.exe
PID 4000 wrote to memory of 564	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 564	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 564	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 564	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 564	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 564	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 564	4000	smgo.exe	InstallUtil.exe
PID 4000 wrote to memory of 564	4000	smgo.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.28229.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.28229.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "trsd" /t REG_SZ /d "C:\Users\Admin\smgo.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "trsd" /t REG_SZ /d "C:\Users\Admin\smgo.exe"
3⤵
- Adds Run key to start application
PID:3908

C:\Users\Admin\smgo.exe
"C:\Users\Admin\smgo.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Users\Admin\AppData\Local\Temp\explorre.exe
"C:\Users\Admin\AppData\Local\Temp\explorre.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\explorre.exe
"C:\Users\Admin\AppData\Local\Temp\explorre.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

MD5
41eeab75f5c7fadeefb84e8b56974146

SHA1
8f41e25c45976b488c0cbc2e927dacbcd8437c84

SHA256
aa50288666e4334d2996bf6aa4ed127f4ead3b6fcc2f378ed2a69e6d515c349f

SHA512
97d05e91a943e0e4c0fe7449b87ce0e681093fc151070082f2e5aaa20ad62167f716dfb70bfccc05c453cba15db632946898f3625d6f489be756952b24fedd8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explorre.exe.log

MD5
e555c48cb712a9597ecb55a60135d1f8

SHA1
2081c72d30c34ec3f61f9944545ecdaae11521f7

SHA256
815c80df060afa8acf7640ca011735ef77c66666d03901e04a8767827d5da4e9

SHA512
32129b5be15217e5400f1e7536270a703d62db60ebb06396b9d74703e6a0dcd2e78f7f42b2019093be1508a9310912f305b88de274a295c9135a4086cd8c8427

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
a190d8b5df7c26864a3e142a763ccc90

SHA1
77659e162354968e601749a0a642864dc9f90597

SHA256
45752791e92c0b162dcc2cefc72917b2016bb46568aecab62d62227819619277

SHA512
01a33063a5ece3ad426ce8272e456617b2200c5941f42f297f40521c074acc935016f6712518a4a434e5699c6b597b35e083d746b080d7fad2a66a141ce481bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
61a2ebc655617a2c4998fc8d368eb20a

SHA1
e75ffe158f6142dbcaabc01278869def5ce936b7

SHA256
637994691189d1c64f8de22e4fee8b6e0518657af23199f181fcfed780a054e9

SHA512
875b048a13a34f5b9f37f86e7fb66dfa26a30d5bb8d55c0a499b91a5b28c8f011bf98ce0254f8be17618377f4011d6f584a77f404dff01b7086040311e6b9d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
61a2ebc655617a2c4998fc8d368eb20a

SHA1
e75ffe158f6142dbcaabc01278869def5ce936b7

SHA256
637994691189d1c64f8de22e4fee8b6e0518657af23199f181fcfed780a054e9

SHA512
875b048a13a34f5b9f37f86e7fb66dfa26a30d5bb8d55c0a499b91a5b28c8f011bf98ce0254f8be17618377f4011d6f584a77f404dff01b7086040311e6b9d01

Download Submit
C:\Users\Admin\smgo.exe

MD5
64993cdc07881c3b1726f1bb8b15e6b2

SHA1
49d7bb6f1cc42e53be2968f04d6f320128ee28b8

SHA256
d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

SHA512
da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Download Submit
C:\Users\Admin\smgo.exe

MD5
64993cdc07881c3b1726f1bb8b15e6b2

SHA1
49d7bb6f1cc42e53be2968f04d6f320128ee28b8

SHA256
d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

SHA512
da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Download Submit
memory/564-67-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/564-64-0x000000000041F51A-mapping.dmp

Download
memory/732-38-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/732-39-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/732-35-0x0000000000000000-mapping.dmp

Download
memory/1592-24-0x000000000041F51A-mapping.dmp

Download
memory/1592-57-0x0000000006650000-0x0000000006651000-memory.dmp

Filesize
4KB

Download
memory/1592-31-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/1592-32-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1592-33-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1592-34-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/1592-30-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/1592-56-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download
memory/1592-27-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/1592-53-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/1592-55-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/1592-58-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/1592-59-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/1592-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1592-52-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/2888-46-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-43-0x0000000000000000-mapping.dmp

Download
memory/3908-10-0x0000000000000000-mapping.dmp

Download
memory/3984-9-0x0000000000000000-mapping.dmp

Download
memory/4000-21-0x00000000082B0000-0x00000000082BB000-memory.dmp

Filesize
44KB

Download
memory/4000-14-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/4000-11-0x0000000000000000-mapping.dmp

Download
memory/4000-22-0x000000000B760000-0x000000000B761000-memory.dmp

Filesize
4KB

Download
memory/4076-2-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/4076-8-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/4076-7-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4076-6-0x0000000005230000-0x000000000524E000-memory.dmp

Filesize
120KB

Download
memory/4076-5-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4076-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download