Overview
overview
10Static
static
toolspab2 (1).exe
windows7_x64
10toolspab2 (1).exe
windows10_x64
10toolspab2 (10).exe
windows7_x64
10toolspab2 (10).exe
windows10_x64
10toolspab2 (11).exe
windows7_x64
10toolspab2 (11).exe
windows10_x64
10toolspab2 (12).exe
windows7_x64
10toolspab2 (12).exe
windows10_x64
10toolspab2 (13).exe
windows7_x64
10toolspab2 (13).exe
windows10_x64
10toolspab2 (14).exe
windows7_x64
10toolspab2 (14).exe
windows10_x64
10toolspab2 (15).exe
windows7_x64
10toolspab2 (15).exe
windows10_x64
10toolspab2 (16).exe
windows7_x64
10toolspab2 (16).exe
windows10_x64
toolspab2 (17).exe
windows7_x64
10toolspab2 (17).exe
windows10_x64
10toolspab2 (18).exe
windows7_x64
10toolspab2 (18).exe
windows10_x64
10toolspab2 (19).exe
windows7_x64
10toolspab2 (19).exe
windows10_x64
10toolspab2 (2).exe
windows7_x64
10toolspab2 (2).exe
windows10_x64
10toolspab2 (20).exe
windows7_x64
10toolspab2 (20).exe
windows10_x64
10toolspab2 (21).exe
windows7_x64
10toolspab2 (21).exe
windows10_x64
10toolspab2 (22).exe
windows7_x64
10toolspab2 (22).exe
windows10_x64
10toolspab2 (23).exe
windows7_x64
10toolspab2 (23).exe
windows10_x64
10Resubmissions
12-07-2021 16:55
210712-cvz622xsbj 1010-07-2021 13:25
210710-pdfh7kft96 1009-07-2021 23:00
210709-hewxkm1xlj 1009-07-2021 16:08
210709-5ql27kyjqa 1009-07-2021 14:08
210709-pt977a4bhe 1008-07-2021 22:09
210708-3ypfnj5j7x 1008-07-2021 13:30
210708-4hsk7y9f2x 1008-07-2021 12:14
210708-8t5f9z9egj 10Analysis
-
max time kernel
150s -
max time network
192s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
08-07-2021 13:30
Static task
static1
Behavioral task
behavioral1
Sample
toolspab2 (1).exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral2
Sample
toolspab2 (1).exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral3
Sample
toolspab2 (10).exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral4
Sample
toolspab2 (10).exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral5
Sample
toolspab2 (11).exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral6
Sample
toolspab2 (11).exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral7
Sample
toolspab2 (12).exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral8
Sample
toolspab2 (12).exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral9
Sample
toolspab2 (13).exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral10
Sample
toolspab2 (13).exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral11
Sample
toolspab2 (14).exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral12
Sample
toolspab2 (14).exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral13
Sample
toolspab2 (15).exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral14
Sample
toolspab2 (15).exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral15
Sample
toolspab2 (16).exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral16
Sample
toolspab2 (16).exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral17
Sample
toolspab2 (17).exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral18
Sample
toolspab2 (17).exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral19
Sample
toolspab2 (18).exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral20
Sample
toolspab2 (18).exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral21
Sample
toolspab2 (19).exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral22
Sample
toolspab2 (19).exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral23
Sample
toolspab2 (2).exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral24
Sample
toolspab2 (2).exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral25
Sample
toolspab2 (20).exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral26
Sample
toolspab2 (20).exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral27
Sample
toolspab2 (21).exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral28
Sample
toolspab2 (21).exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral29
Sample
toolspab2 (22).exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral30
Sample
toolspab2 (22).exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral31
Sample
toolspab2 (23).exe
Resource
win7v20210410
windows7_x64
General
-
Target
toolspab2 (18).exe
-
Size
315KB
-
MD5
1d20e1f65938e837ef1b88f10f1bd6c3
-
SHA1
703d7098dbfc476d2181b7fc041cc23e49c368f1
-
SHA256
05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
-
SHA512
f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Malware Config
Extracted
smokeloader
2020
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Extracted
redline
1
45.32.235.238:45555
Extracted
redline
agressor
65.21.122.45:8085
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral19/memory/1716-85-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral19/memory/1716-86-0x0000000000417E96-mapping.dmp family_redline behavioral19/memory/1716-88-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral19/memory/564-94-0x0000000000510000-0x000000000052B000-memory.dmp family_redline behavioral19/memory/564-98-0x0000000001E70000-0x0000000001E89000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
pid Process 1464 7A1F.exe 1948 7BC6.exe 780 BA4C.exe 948 BDE6.exe 564 C047.exe 1716 BA4C.exe 1584 CDB0.exe 1996 D84B.exe 828 E42F.exe -
Deletes itself 1 IoCs
pid Process 1264 Process not Found -
Loads dropped DLL 4 IoCs
pid Process 828 toolspab2 (18).exe 780 BA4C.exe 948 BDE6.exe 1584 CDB0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1164 set thread context of 828 1164 toolspab2 (18).exe 29 PID 780 set thread context of 1716 780 BA4C.exe 34 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2 (18).exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2 (18).exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2 (18).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CDB0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CDB0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CDB0.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 BDE6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 BDE6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 828 toolspab2 (18).exe 828 toolspab2 (18).exe 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1264 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 828 toolspab2 (18).exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 1264 Process not Found Token: SeShutdownPrivilege 1264 Process not Found Token: SeShutdownPrivilege 1264 Process not Found Token: SeDebugPrivilege 564 C047.exe Token: SeDebugPrivilege 1716 BA4C.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1464 7A1F.exe 1948 7BC6.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1164 wrote to memory of 828 1164 toolspab2 (18).exe 29 PID 1164 wrote to memory of 828 1164 toolspab2 (18).exe 29 PID 1164 wrote to memory of 828 1164 toolspab2 (18).exe 29 PID 1164 wrote to memory of 828 1164 toolspab2 (18).exe 29 PID 1164 wrote to memory of 828 1164 toolspab2 (18).exe 29 PID 1164 wrote to memory of 828 1164 toolspab2 (18).exe 29 PID 1164 wrote to memory of 828 1164 toolspab2 (18).exe 29 PID 1264 wrote to memory of 1464 1264 Process not Found 30 PID 1264 wrote to memory of 1464 1264 Process not Found 30 PID 1264 wrote to memory of 1464 1264 Process not Found 30 PID 1264 wrote to memory of 1464 1264 Process not Found 30 PID 1264 wrote to memory of 1948 1264 Process not Found 31 PID 1264 wrote to memory of 1948 1264 Process not Found 31 PID 1264 wrote to memory of 1948 1264 Process not Found 31 PID 1264 wrote to memory of 1948 1264 Process not Found 31 PID 1264 wrote to memory of 780 1264 Process not Found 32 PID 1264 wrote to memory of 780 1264 Process not Found 32 PID 1264 wrote to memory of 780 1264 Process not Found 32 PID 1264 wrote to memory of 780 1264 Process not Found 32 PID 780 wrote to memory of 1716 780 BA4C.exe 34 PID 780 wrote to memory of 1716 780 BA4C.exe 34 PID 780 wrote to memory of 1716 780 BA4C.exe 34 PID 780 wrote to memory of 1716 780 BA4C.exe 34 PID 1264 wrote to memory of 948 1264 Process not Found 35 PID 1264 wrote to memory of 948 1264 Process not Found 35 PID 1264 wrote to memory of 948 1264 Process not Found 35 PID 1264 wrote to memory of 948 1264 Process not Found 35 PID 1264 wrote to memory of 564 1264 Process not Found 36 PID 1264 wrote to memory of 564 1264 Process not Found 36 PID 1264 wrote to memory of 564 1264 Process not Found 36 PID 1264 wrote to memory of 564 1264 Process not Found 36 PID 780 wrote to memory of 1716 780 BA4C.exe 34 PID 780 wrote to memory of 1716 780 BA4C.exe 34 PID 780 wrote to memory of 1716 780 BA4C.exe 34 PID 780 wrote to memory of 1716 780 BA4C.exe 34 PID 780 wrote to memory of 1716 780 BA4C.exe 34 PID 1264 wrote to memory of 1584 1264 Process not Found 37 PID 1264 wrote to memory of 1584 1264 Process not Found 37 PID 1264 wrote to memory of 1584 1264 Process not Found 37 PID 1264 wrote to memory of 1584 1264 Process not Found 37 PID 1264 wrote to memory of 1996 1264 Process not Found 38 PID 1264 wrote to memory of 1996 1264 Process not Found 38 PID 1264 wrote to memory of 1996 1264 Process not Found 38 PID 1264 wrote to memory of 1996 1264 Process not Found 38 PID 1264 wrote to memory of 828 1264 Process not Found 39 PID 1264 wrote to memory of 828 1264 Process not Found 39 PID 1264 wrote to memory of 828 1264 Process not Found 39 PID 1264 wrote to memory of 828 1264 Process not Found 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (18).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (18).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\toolspab2 (18).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (18).exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:828
-
-
C:\Users\Admin\AppData\Local\Temp\7A1F.exeC:\Users\Admin\AppData\Local\Temp\7A1F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464
-
C:\Users\Admin\AppData\Local\Temp\7BC6.exeC:\Users\Admin\AppData\Local\Temp\7BC6.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1948
-
C:\Users\Admin\AppData\Local\Temp\BA4C.exeC:\Users\Admin\AppData\Local\Temp\BA4C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\BA4C.exeC:\Users\Admin\AppData\Local\Temp\BA4C.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\BDE6.exeC:\Users\Admin\AppData\Local\Temp\BDE6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:948
-
C:\Users\Admin\AppData\Local\Temp\C047.exeC:\Users\Admin\AppData\Local\Temp\C047.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:564
-
C:\Users\Admin\AppData\Local\Temp\CDB0.exeC:\Users\Admin\AppData\Local\Temp\CDB0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:1584
-
C:\Users\Admin\AppData\Local\Temp\D84B.exeC:\Users\Admin\AppData\Local\Temp\D84B.exe1⤵
- Executes dropped EXE
PID:1996
-
C:\Users\Admin\AppData\Local\Temp\E42F.exeC:\Users\Admin\AppData\Local\Temp\E42F.exe1⤵
- Executes dropped EXE
PID:828
-
C:\Users\Admin\AppData\Local\Temp\F040.exeC:\Users\Admin\AppData\Local\Temp\F040.exe1⤵PID:1700