redline | 89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
26-09-2021 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c7373ab965995304bd8b007f66ebad2.exe
Size

134KB
MD5

2c7373ab965995304bd8b007f66ebad2
SHA1

48a6f884b3a5fd51a371f900cbdb1b8651af72b4
SHA256

89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
SHA512

52f52a8c42f40fa6fab49cd303a310cd23513439e97e669b92aaec4a78baa60cebed9b66254770d1fcb6c5783e08d90422b17836ee7175effc0f935fa4cbea4e

Score

10^/10

redline smokeloader backdoor discovery evasion infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/824-145-0x00000000058B0000-0x0000000005EB6000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

345F.exe4CE9.exe

pid process

2508 345F.exe
824 4CE9.exe

pid	process
2508	345F.exe
824	4CE9.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4CE9.exe345F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4CE9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4CE9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	345F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	345F.exe

Deletes itself 1 IoCs

Processes:

pid process

3036
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3036

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\345F.exe	themida
behavioral2/memory/2508-121-0x00000000009A0000-0x00000000009A1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\4CE9.exe	themida
C:\Users\Admin\AppData\Local\Temp\4CE9.exe	themida
behavioral2/memory/824-135-0x0000000000F00000-0x0000000000F01000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

345F.exe4CE9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	345F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4CE9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

345F.exe4CE9.exe

pid process

2508 345F.exe
824 4CE9.exe

pid	process
2508	345F.exe
824	4CE9.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2c7373ab965995304bd8b007f66ebad2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2c7373ab965995304bd8b007f66ebad2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2c7373ab965995304bd8b007f66ebad2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2c7373ab965995304bd8b007f66ebad2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2c7373ab965995304bd8b007f66ebad2.exe

pid	process
2116	2c7373ab965995304bd8b007f66ebad2.exe
2116	2c7373ab965995304bd8b007f66ebad2.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2c7373ab965995304bd8b007f66ebad2.exe

pid process

2116 2c7373ab965995304bd8b007f66ebad2.exe

pid	process
3036

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

345F.exe4CE9.exe

description	pid	process
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeDebugPrivilege	2508	345F.exe
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeDebugPrivilege	824	4CE9.exe
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

description	pid	target process
PID 3036 wrote to memory of 2508	3036	345F.exe
PID 3036 wrote to memory of 2508	3036	345F.exe
PID 3036 wrote to memory of 2508	3036	345F.exe
PID 3036 wrote to memory of 824	3036	4CE9.exe
PID 3036 wrote to memory of 824	3036	4CE9.exe
PID 3036 wrote to memory of 824	3036	4CE9.exe

C:\Users\Admin\AppData\Local\Temp\2c7373ab965995304bd8b007f66ebad2.exe
"C:\Users\Admin\AppData\Local\Temp\2c7373ab965995304bd8b007f66ebad2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2116

C:\Users\Admin\AppData\Local\Temp\345F.exe
C:\Users\Admin\AppData\Local\Temp\345F.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Users\Admin\AppData\Local\Temp\4CE9.exe
C:\Users\Admin\AppData\Local\Temp\4CE9.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\345F.exe

MD5
706e056e6b2aaebd358701538b774fcd

SHA1
a528290b1eec45a22587c15d8a0135185832e71a

SHA256
c431a09f7c0a0c4ec016f16ca7150c1a6b9227fe5ed216ce004eda4af9878ac8

SHA512
a3ff93f0e7f8781c8c4b664a6d33c63a5bd712dc999f69394a4d991bb3d1059aae0c0c001ec16d6c6b72f3054bce3cb2e7030bd81b15360fdee6a1a8f8c39fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CE9.exe

MD5
b8408976630c4ccdeffc0f1164a7960c

SHA1
9cd12dc965bf3846a44f851328eb2e5c52f8c01c

SHA256
46854855604b19ab94433e80a09712b6f4b3d7186c93c9516ee9a1ef37514180

SHA512
2ff94576906bcd190bbe8314f64a25c7939c1fe33683e5f7effe6551038c3be4decf86edb476f9c9aa391a1da6a6ccb5c08e2ebba02b9d4ca5dcd622aeb008d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CE9.exe

MD5
b8408976630c4ccdeffc0f1164a7960c

SHA1
9cd12dc965bf3846a44f851328eb2e5c52f8c01c

SHA256
46854855604b19ab94433e80a09712b6f4b3d7186c93c9516ee9a1ef37514180

SHA512
2ff94576906bcd190bbe8314f64a25c7939c1fe33683e5f7effe6551038c3be4decf86edb476f9c9aa391a1da6a6ccb5c08e2ebba02b9d4ca5dcd622aeb008d4

Download Submit
memory/824-145-0x00000000058B0000-0x0000000005EB6000-memory.dmp

Filesize
6.0MB

Download
memory/824-135-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/824-133-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/824-130-0x0000000000000000-mapping.dmp

Download
memory/2116-116-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2116-115-0x0000000000610000-0x0000000000619000-memory.dmp

Filesize
36KB

Download
memory/2508-127-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2508-140-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/2508-129-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/2508-126-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/2508-125-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/2508-124-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/2508-123-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/2508-121-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2508-118-0x0000000000000000-mapping.dmp

Download
memory/2508-128-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/2508-142-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/2508-144-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/2508-146-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/2508-149-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/2508-147-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/2508-148-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/3036-117-0x0000000000DC0000-0x0000000000DD5000-memory.dmp

Filesize
84KB

Download