redline | d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

Analysis

max time kernel
148s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
12-01-2021 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newload-crypted.exe
Size

883KB
MD5

64993cdc07881c3b1726f1bb8b15e6b2
SHA1

49d7bb6f1cc42e53be2968f04d6f320128ee28b8
SHA256

d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d
SHA512

da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Score

10^/10

redline discovery infostealer persistence spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3832-23-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/3832-24-0x000000000041F51A-mapping.dmp	family_redline
behavioral2/memory/1336-64-0x000000000041F51A-mapping.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

smgo.exeInstallUtil.exeexplorre.exeexplorre.exeInstallUtil.exe

pid process

2744 smgo.exe
3832 InstallUtil.exe
2092 explorre.exe
2348 explorre.exe
1336 InstallUtil.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2744	smgo.exe
3832	InstallUtil.exe
2092	explorre.exe
2348	explorre.exe
1336	InstallUtil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\trsd = "C:\\Users\\Admin\\smgo.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

smgo.exe

description	pid	process	target process
PID 2744 set thread context of 3832	2744	smgo.exe	InstallUtil.exe
PID 2744 set thread context of 1336	2744	smgo.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

newload-crypted.exesmgo.exeexplorre.exeexplorre.exeInstallUtil.exeInstallUtil.exe

pid	process
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
4048	newload-crypted.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2092	explorre.exe
2348	explorre.exe
2348	explorre.exe
2348	explorre.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
3832	InstallUtil.exe
3832	InstallUtil.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
1336	InstallUtil.exe
1336	InstallUtil.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe
2744	smgo.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

newload-crypted.exesmgo.exeexplorre.exeexplorre.exeInstallUtil.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4048	newload-crypted.exe
Token: SeDebugPrivilege	2744	smgo.exe
Token: SeDebugPrivilege	2092	explorre.exe
Token: SeDebugPrivilege	2348	explorre.exe
Token: SeDebugPrivilege	3832	InstallUtil.exe
Token: SeDebugPrivilege	1336	InstallUtil.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

newload-crypted.execmd.exesmgo.exeexplorre.exe

description	pid	process	target process
PID 4048 wrote to memory of 3432	4048	newload-crypted.exe	cmd.exe
PID 4048 wrote to memory of 3432	4048	newload-crypted.exe	cmd.exe
PID 4048 wrote to memory of 3432	4048	newload-crypted.exe	cmd.exe
PID 3432 wrote to memory of 2472	3432	cmd.exe	reg.exe
PID 3432 wrote to memory of 2472	3432	cmd.exe	reg.exe
PID 3432 wrote to memory of 2472	3432	cmd.exe	reg.exe
PID 4048 wrote to memory of 2744	4048	newload-crypted.exe	smgo.exe
PID 4048 wrote to memory of 2744	4048	newload-crypted.exe	smgo.exe
PID 4048 wrote to memory of 2744	4048	newload-crypted.exe	smgo.exe
PID 2744 wrote to memory of 3832	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 3832	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 3832	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 3832	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 3832	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 3832	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 3832	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 3832	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 2092	2744	smgo.exe	explorre.exe
PID 2744 wrote to memory of 2092	2744	smgo.exe	explorre.exe
PID 2744 wrote to memory of 2092	2744	smgo.exe	explorre.exe
PID 2092 wrote to memory of 2348	2092	explorre.exe	explorre.exe
PID 2092 wrote to memory of 2348	2092	explorre.exe	explorre.exe
PID 2092 wrote to memory of 2348	2092	explorre.exe	explorre.exe
PID 2744 wrote to memory of 1336	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 1336	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 1336	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 1336	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 1336	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 1336	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 1336	2744	smgo.exe	InstallUtil.exe
PID 2744 wrote to memory of 1336	2744	smgo.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\newload-crypted.exe
"C:\Users\Admin\AppData\Local\Temp\newload-crypted.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "trsd" /t REG_SZ /d "C:\Users\Admin\smgo.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "trsd" /t REG_SZ /d "C:\Users\Admin\smgo.exe"
3⤵
- Adds Run key to start application
PID:2472

C:\Users\Admin\smgo.exe
"C:\Users\Admin\smgo.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Users\Admin\AppData\Local\Temp\explorre.exe
"C:\Users\Admin\AppData\Local\Temp\explorre.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\explorre.exe
"C:\Users\Admin\AppData\Local\Temp\explorre.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

MD5
41eeab75f5c7fadeefb84e8b56974146

SHA1
8f41e25c45976b488c0cbc2e927dacbcd8437c84

SHA256
aa50288666e4334d2996bf6aa4ed127f4ead3b6fcc2f378ed2a69e6d515c349f

SHA512
97d05e91a943e0e4c0fe7449b87ce0e681093fc151070082f2e5aaa20ad62167f716dfb70bfccc05c453cba15db632946898f3625d6f489be756952b24fedd8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explorre.exe.log

MD5
e555c48cb712a9597ecb55a60135d1f8

SHA1
2081c72d30c34ec3f61f9944545ecdaae11521f7

SHA256
815c80df060afa8acf7640ca011735ef77c66666d03901e04a8767827d5da4e9

SHA512
32129b5be15217e5400f1e7536270a703d62db60ebb06396b9d74703e6a0dcd2e78f7f42b2019093be1508a9310912f305b88de274a295c9135a4086cd8c8427

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
883a57ceba38de651c3cc235e05d9200

SHA1
ba1ab14d0be7f2ac8e28401d951d99bb25fd3d6e

SHA256
82d83e804c6fd792c6473c3c08e5285b6b332f66e488ac99bf390f492f3b2b01

SHA512
1da42d9350b908379c47d8ad5be3d53802aac710585b3b7a149cf2659631667ab2aa7d786619c1e82a01151ab49dc7ec20f1f595caf499f134b77a6cb3860124

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
c792303ea73812db0dbe838922e44339

SHA1
effb032cff31c1deb0329fdab4999fc15895b852

SHA256
6e4adf4a9101cc8b4b5dd0e9fb93d417119a13e9212301cfeb3e6a17559381f4

SHA512
720546091fa4501783e9880f088fc2a8a8dc62c78f53c263693af51f0d7e5b60b38fe73f9cff9485d7ff800f79ab0a13b93f968f1515817b6587439a95fa2121

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorre.txt

MD5
fe98b202fd05f793c6cf1853e3e01439

SHA1
28760836e669cf0e9405ee97bbffd9cf991e4545

SHA256
6ae58df7e27aee676b37b31e00729c27a96b00cba7bf607e05178207afb87238

SHA512
8468488bc99a3538a3b792580872605f215301a62f22ad5b1337a1e1eadb27febf8ddb725c51d8831383da2e7a0f6d216ebbff21b5ce6a993a302264b1ac5f86

Download Submit
C:\Users\Admin\smgo.exe

MD5
64993cdc07881c3b1726f1bb8b15e6b2

SHA1
49d7bb6f1cc42e53be2968f04d6f320128ee28b8

SHA256
d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

SHA512
da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Download Submit
C:\Users\Admin\smgo.exe

MD5
64993cdc07881c3b1726f1bb8b15e6b2

SHA1
49d7bb6f1cc42e53be2968f04d6f320128ee28b8

SHA256
d43838212ddf94f2e613eeeaf305893081963706657e5588273a798e5ca5690d

SHA512
da8a14c38666a6d3490942591ee35391d5a96b1b737c462f2b1c8e73a525c633b1f3b2a12520437e948aee39b3b546f52efff976797bb9998047c28de5f783ad

Download Submit
memory/1336-64-0x000000000041F51A-mapping.dmp

Download
memory/1336-67-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-38-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-39-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2092-34-0x0000000000000000-mapping.dmp

Download
memory/2348-46-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-43-0x0000000000000000-mapping.dmp

Download
memory/2472-10-0x0000000000000000-mapping.dmp

Download
memory/2744-22-0x000000000BFB0000-0x000000000BFB1000-memory.dmp

Filesize
4KB

Download
memory/2744-11-0x0000000000000000-mapping.dmp

Download
memory/2744-14-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-21-0x0000000008B00000-0x0000000008B0B000-memory.dmp

Filesize
44KB

Download
memory/3432-9-0x0000000000000000-mapping.dmp

Download
memory/3832-57-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/3832-53-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/3832-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3832-24-0x000000000041F51A-mapping.dmp

Download
memory/3832-27-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/3832-33-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/3832-32-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3832-59-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/3832-31-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/3832-58-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/3832-52-0x00000000066B0000-0x00000000066B1000-memory.dmp

Filesize
4KB

Download
memory/3832-37-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/3832-55-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/3832-56-0x0000000006920000-0x0000000006921000-memory.dmp

Filesize
4KB

Download
memory/3832-30-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/4048-8-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/4048-2-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/4048-7-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/4048-6-0x0000000000DD0000-0x0000000000DEE000-memory.dmp

Filesize
120KB

Download
memory/4048-5-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4048-3-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download