redline | d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
12-01-2021 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newload-crypted.exe
Size

883KB
MD5

64993cdc07881c3b1726f1bb8b15e6b2
SHA1

49d7bb6f1cc42e53be2968f04d6f320128ee28b8
SHA256

d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d
SHA512

da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Score

10^/10

redline discovery infostealer persistence spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/840-22-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/840-23-0x000000000041F51A-mapping.dmp	family_redline
behavioral1/memory/840-25-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/840-26-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1412-50-0x000000000041F51A-mapping.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

smgo.exeInstallUtil.exeexplorre.exeexplorre.exeInstallUtil.exe

pid process

360 smgo.exe
840 InstallUtil.exe
1084 explorre.exe
1716 explorre.exe
1412 InstallUtil.exe
Loads dropped DLL 5 IoCs

Processes:

newload-crypted.exesmgo.exeexplorre.exe

pid process

1408 newload-crypted.exe
360 smgo.exe
360 smgo.exe
1084 explorre.exe
360 smgo.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
360	smgo.exe
840	InstallUtil.exe
1084	explorre.exe
1716	explorre.exe
1412	InstallUtil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\trsd = "C:\\Users\\Admin\\smgo.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

smgo.exe

description	pid	process	target process
PID 360 set thread context of 840	360	smgo.exe	InstallUtil.exe
PID 360 set thread context of 1412	360	smgo.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

newload-crypted.exesmgo.exeexplorre.exeexplorre.exeInstallUtil.exeInstallUtil.exe

pid	process
1408	newload-crypted.exe
1408	newload-crypted.exe
1408	newload-crypted.exe
1408	newload-crypted.exe
1408	newload-crypted.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
1084	explorre.exe
1716	explorre.exe
1716	explorre.exe
1716	explorre.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
840	InstallUtil.exe
840	InstallUtil.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
1412	InstallUtil.exe
1412	InstallUtil.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe
360	smgo.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

newload-crypted.exesmgo.exeexplorre.exeexplorre.exeInstallUtil.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1408	newload-crypted.exe
Token: SeDebugPrivilege	360	smgo.exe
Token: SeDebugPrivilege	1084	explorre.exe
Token: SeDebugPrivilege	1716	explorre.exe
Token: SeDebugPrivilege	840	InstallUtil.exe
Token: SeDebugPrivilege	1412	InstallUtil.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

newload-crypted.execmd.exesmgo.exeexplorre.exe

description	pid	process	target process
PID 1408 wrote to memory of 1520	1408	newload-crypted.exe	cmd.exe
PID 1408 wrote to memory of 1520	1408	newload-crypted.exe	cmd.exe
PID 1408 wrote to memory of 1520	1408	newload-crypted.exe	cmd.exe
PID 1408 wrote to memory of 1520	1408	newload-crypted.exe	cmd.exe
PID 1520 wrote to memory of 1788	1520	cmd.exe	reg.exe
PID 1520 wrote to memory of 1788	1520	cmd.exe	reg.exe
PID 1520 wrote to memory of 1788	1520	cmd.exe	reg.exe
PID 1520 wrote to memory of 1788	1520	cmd.exe	reg.exe
PID 1408 wrote to memory of 360	1408	newload-crypted.exe	smgo.exe
PID 1408 wrote to memory of 360	1408	newload-crypted.exe	smgo.exe
PID 1408 wrote to memory of 360	1408	newload-crypted.exe	smgo.exe
PID 1408 wrote to memory of 360	1408	newload-crypted.exe	smgo.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 840	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1084	360	smgo.exe	explorre.exe
PID 360 wrote to memory of 1084	360	smgo.exe	explorre.exe
PID 360 wrote to memory of 1084	360	smgo.exe	explorre.exe
PID 360 wrote to memory of 1084	360	smgo.exe	explorre.exe
PID 1084 wrote to memory of 1716	1084	explorre.exe	explorre.exe
PID 1084 wrote to memory of 1716	1084	explorre.exe	explorre.exe
PID 1084 wrote to memory of 1716	1084	explorre.exe	explorre.exe
PID 1084 wrote to memory of 1716	1084	explorre.exe	explorre.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe
PID 360 wrote to memory of 1412	360	smgo.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\newload-crypted.exe
"C:\Users\Admin\AppData\Local\Temp\newload-crypted.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "trsd" /t REG_SZ /d "C:\Users\Admin\smgo.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "trsd" /t REG_SZ /d "C:\Users\Admin\smgo.exe"
3⤵
- Adds Run key to start application
PID:1788

C:\Users\Admin\smgo.exe
"C:\Users\Admin\smgo.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Users\Admin\AppData\Local\Temp\explorre.exe
"C:\Users\Admin\AppData\Local\Temp\explorre.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\explorre.exe
"C:\Users\Admin\AppData\Local\Temp\explorre.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
7ab7e52299cf7c49a7f60ac354a9e073

SHA1
d8beed906bdab921c2a2451d52e9178a993a0ffd

SHA256
12099e2689d42e0d80d4a436f0cf3c6b3b817a81535426f681225121e9971860

SHA512
565f51210712093569f800c7c0dcf325dd1c14c3ebbc452b7cfbba6e62409927c44b7c527cd86d6b68e324bc475b161c108c48fd862a9f5c28187828e3d540f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
9be17ae8e86ddf16ff1e7ff0c38b163d

SHA1
d7141af1c5a13df7fba594b4c1f22a01b199c303

SHA256
e003f1e76fbbaacbde33ba7451047f1c54de1ebf218e67127c663a532cd66478

SHA512
ac5309c285ec82b746fdc8acaf791e1f12cc8d8300778b95a2c871fb6bfd831041fd9a1b9511cf743fe756e2ff096d02daf6ac2a813290e5c3f647f95c19c149

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
9be17ae8e86ddf16ff1e7ff0c38b163d

SHA1
d7141af1c5a13df7fba594b4c1f22a01b199c303

SHA256
e003f1e76fbbaacbde33ba7451047f1c54de1ebf218e67127c663a532cd66478

SHA512
ac5309c285ec82b746fdc8acaf791e1f12cc8d8300778b95a2c871fb6bfd831041fd9a1b9511cf743fe756e2ff096d02daf6ac2a813290e5c3f647f95c19c149

Download Submit
C:\Users\Admin\smgo.exe

MD5
64993cdc07881c3b1726f1bb8b15e6b2

SHA1
49d7bb6f1cc42e53be2968f04d6f320128ee28b8

SHA256
d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

SHA512
da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Download Submit
C:\Users\Admin\smgo.exe

MD5
64993cdc07881c3b1726f1bb8b15e6b2

SHA1
49d7bb6f1cc42e53be2968f04d6f320128ee28b8

SHA256
d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

SHA512
da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\smgo.exe

MD5
64993cdc07881c3b1726f1bb8b15e6b2

SHA1
49d7bb6f1cc42e53be2968f04d6f320128ee28b8

SHA256
d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

SHA512
da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Download Submit
memory/360-10-0x0000000000000000-mapping.dmp

Download
memory/360-14-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/360-13-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/360-19-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/360-18-0x0000000002010000-0x000000000201B000-memory.dmp

Filesize
44KB

Download
memory/840-23-0x000000000041F51A-mapping.dmp

Download
memory/840-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/840-26-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/840-27-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/840-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1084-31-0x0000000000000000-mapping.dmp

Download
memory/1084-34-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1084-35-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/1408-2-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1408-6-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1408-5-0x00000000004D0000-0x00000000004EE000-memory.dmp

Filesize
120KB

Download
memory/1408-3-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1412-50-0x000000000041F51A-mapping.dmp

Download
memory/1412-54-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1520-7-0x0000000000000000-mapping.dmp

Download
memory/1716-39-0x0000000000000000-mapping.dmp

Download
memory/1716-41-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1788-8-0x0000000000000000-mapping.dmp

Download