redline | 2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e

General

Target

2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
Size

145KB
MD5

d37e1e3dd70bc0035c13ded75f27c930
SHA1

0e7f454578fb459f2afd7af721e844bf036597c3
SHA256

2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e
SHA512

381c9c9775bfbf9b82e034effe7d8b8d321d179d1eb34962d444e0fc1096df16d4301a91175bdee75bc8ed371636330634b9e56402234dccba5322055684f03e

Score

10^/10

redline smokeloader agilenet backdoor infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Extracted

Family

redline

C2

91.236.120.204:20853

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3600-135-0x0000000000400000-0x0000000000424000-memory.dmp	family_redline
behavioral1/memory/3600-136-0x000000000041CF82-mapping.dmp	family_redline
behavioral1/memory/3600-146-0x0000000004E70000-0x0000000005476000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

EB9E.exeInstallUtil.exe

pid process

3168 EB9E.exe
3600 InstallUtil.exe
Deletes itself 1 IoCs

Processes:

pid process

2648

pid	process
3168	EB9E.exe
3600	InstallUtil.exe

pid	process
2648

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3168-128-0x0000000006C00000-0x0000000006C21000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

Processes:

2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exeEB9E.exe

description	pid	process	target process
PID 2068 set thread context of 2192	2068	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
PID 3168 set thread context of 3600	3168	EB9E.exe	InstallUtil.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe

pid	process
2192	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
2192	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648
2648

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2648
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe

pid process

2192 2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe

pid	process
2648

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

EB9E.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	3168	EB9E.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeDebugPrivilege	3600	InstallUtil.exe
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648
Token: SeShutdownPrivilege	2648
Token: SeCreatePagefilePrivilege	2648

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exeEB9E.exe

description	pid	process	target process
PID 2068 wrote to memory of 2192	2068	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
PID 2068 wrote to memory of 2192	2068	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
PID 2068 wrote to memory of 2192	2068	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
PID 2068 wrote to memory of 2192	2068	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
PID 2068 wrote to memory of 2192	2068	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
PID 2068 wrote to memory of 2192	2068	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe	2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
PID 2648 wrote to memory of 3168	2648		EB9E.exe
PID 2648 wrote to memory of 3168	2648		EB9E.exe
PID 2648 wrote to memory of 3168	2648		EB9E.exe
PID 3168 wrote to memory of 3600	3168	EB9E.exe	InstallUtil.exe
PID 3168 wrote to memory of 3600	3168	EB9E.exe	InstallUtil.exe
PID 3168 wrote to memory of 3600	3168	EB9E.exe	InstallUtil.exe
PID 3168 wrote to memory of 3600	3168	EB9E.exe	InstallUtil.exe
PID 3168 wrote to memory of 3600	3168	EB9E.exe	InstallUtil.exe
PID 3168 wrote to memory of 3600	3168	EB9E.exe	InstallUtil.exe
PID 3168 wrote to memory of 3600	3168	EB9E.exe	InstallUtil.exe
PID 3168 wrote to memory of 3600	3168	EB9E.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
"C:\Users\Admin\AppData\Local\Temp\2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe
"C:\Users\Admin\AppData\Local\Temp\2d10e11cf76770ce4a4941b7abd930008b79e18306478031df821ef9ae9d5b2e.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2192

C:\Users\Admin\AppData\Local\Temp\EB9E.exe
C:\Users\Admin\AppData\Local\Temp\EB9E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EB9E.exe
MD5
2a34b7d748abd5e2452cccd9c9ce667b

SHA1
5dc04e66168d882935a0b84c85e65066fc92e35a

SHA256
e542667b648f351268e6402491ba2bb3609e7239448d11b24aabdc2fd4ecd34a

SHA512
b41c9f34a402b7dd20ee8c2465ffd6536bda3b9f9c1473b3f5e400c49f1ebb867d24c82a1f01dbe14f361a3407c0496162038f060173a0d6d3f2acbbfe35d045

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB9E.exe
MD5
2a34b7d748abd5e2452cccd9c9ce667b

SHA1
5dc04e66168d882935a0b84c85e65066fc92e35a

SHA256
e542667b648f351268e6402491ba2bb3609e7239448d11b24aabdc2fd4ecd34a

SHA512
b41c9f34a402b7dd20ee8c2465ffd6536bda3b9f9c1473b3f5e400c49f1ebb867d24c82a1f01dbe14f361a3407c0496162038f060173a0d6d3f2acbbfe35d045

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
memory/2068-117-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/2192-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2192-116-0x0000000000402FA5-mapping.dmp

Download
memory/2648-118-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/3168-132-0x0000000005600000-0x0000000005AFE000-memory.dmp

Filesize
5.0MB

Download
memory/3168-122-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3168-126-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3168-127-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/3168-128-0x0000000006C00000-0x0000000006C21000-memory.dmp

Filesize
132KB

Download
memory/3168-129-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/3168-130-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/3168-131-0x0000000005600000-0x0000000005AFE000-memory.dmp

Filesize
5.0MB

Download
memory/3168-124-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/3168-133-0x00000000075F0000-0x00000000075FB000-memory.dmp

Filesize
44KB

Download
memory/3168-134-0x0000000009BF0000-0x0000000009BF1000-memory.dmp

Filesize
4KB

Download
memory/3168-119-0x0000000000000000-mapping.dmp

Download
memory/3168-125-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3600-136-0x000000000041CF82-mapping.dmp

Download
memory/3600-135-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3600-141-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/3600-142-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3600-143-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3600-144-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3600-145-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3600-146-0x0000000004E70000-0x0000000005476000-memory.dmp

Filesize
6.0MB

Download
memory/3600-147-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/3600-148-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/3600-151-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/3600-153-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads