redline | 433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-en-20211014
submitted
09-11-2021 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db2ef30e8f821c8f00456941f5944849.exe
Size

286KB
MD5

db2ef30e8f821c8f00456941f5944849
SHA1

01a08a69f1e8e6d822ece577a9ebe84a0c7f5f60
SHA256

433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
SHA512

7e8a3b0a1c57b3e7e8b6bff850d5cd28bbabca63ba90bca0f7a502e3964de641004388afb1271a01e7bc34ba66d6299e487107869c4bc224bf36d6fb900e72ee

Score

10^/10

redline smokeloader new3 backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nalirou70.top/

http://xacokuo80.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

redline

Botnet

new3

93.115.20.139:28978

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1620-83-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1620-84-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1620-85-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1620-86-0x0000000000418D26-mapping.dmp	family_redline
behavioral1/memory/1620-88-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

C84E.exeC84E.exeFC89.exeFC89.exeFC89.exe1151.exe321B.exe

pid process

1648 C84E.exe
1644 C84E.exe
932 FC89.exe
1540 FC89.exe
1620 FC89.exe
1916 1151.exe
612 321B.exe
Deletes itself 1 IoCs

Processes:

pid process

1200
Loads dropped DLL 4 IoCs

Processes:

C84E.exeFC89.exe1151.exe

pid process

1648 C84E.exe
932 FC89.exe
932 FC89.exe
1916 1151.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1648	C84E.exe
1644	C84E.exe
932	FC89.exe
1540	FC89.exe
1620	FC89.exe
1916	1151.exe
612	321B.exe

pid	process
1200

pid	process
1648	C84E.exe
932	FC89.exe
932	FC89.exe
1916	1151.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

db2ef30e8f821c8f00456941f5944849.exeC84E.exeFC89.exe

description	pid	process	target process
PID 752 set thread context of 704	752	db2ef30e8f821c8f00456941f5944849.exe	db2ef30e8f821c8f00456941f5944849.exe
PID 1648 set thread context of 1644	1648	C84E.exe	C84E.exe
PID 932 set thread context of 1620	932	FC89.exe	FC89.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1151.exedb2ef30e8f821c8f00456941f5944849.exeC84E.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db2ef30e8f821c8f00456941f5944849.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db2ef30e8f821c8f00456941f5944849.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C84E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C84E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1151.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db2ef30e8f821c8f00456941f5944849.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C84E.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1151.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

db2ef30e8f821c8f00456941f5944849.exe

pid	process
704	db2ef30e8f821c8f00456941f5944849.exe
704	db2ef30e8f821c8f00456941f5944849.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1200
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

db2ef30e8f821c8f00456941f5944849.exeC84E.exe1151.exe

pid process

704 db2ef30e8f821c8f00456941f5944849.exe
1644 C84E.exe
1916 1151.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FC89.exe

description pid process

Token: SeDebugPrivilege 932 FC89.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1200
1200
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1200
1200

pid	process
1200

description	pid	process
Token: SeDebugPrivilege	932	FC89.exe

pid	process
1200
1200

pid	process
1200
1200

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

db2ef30e8f821c8f00456941f5944849.exeC84E.exeFC89.exe

description	pid	process	target process
PID 752 wrote to memory of 704	752	db2ef30e8f821c8f00456941f5944849.exe	db2ef30e8f821c8f00456941f5944849.exe
PID 752 wrote to memory of 704	752	db2ef30e8f821c8f00456941f5944849.exe	db2ef30e8f821c8f00456941f5944849.exe
PID 752 wrote to memory of 704	752	db2ef30e8f821c8f00456941f5944849.exe	db2ef30e8f821c8f00456941f5944849.exe
PID 752 wrote to memory of 704	752	db2ef30e8f821c8f00456941f5944849.exe	db2ef30e8f821c8f00456941f5944849.exe
PID 752 wrote to memory of 704	752	db2ef30e8f821c8f00456941f5944849.exe	db2ef30e8f821c8f00456941f5944849.exe
PID 752 wrote to memory of 704	752	db2ef30e8f821c8f00456941f5944849.exe	db2ef30e8f821c8f00456941f5944849.exe
PID 752 wrote to memory of 704	752	db2ef30e8f821c8f00456941f5944849.exe	db2ef30e8f821c8f00456941f5944849.exe
PID 1200 wrote to memory of 1648	1200		C84E.exe
PID 1200 wrote to memory of 1648	1200		C84E.exe
PID 1200 wrote to memory of 1648	1200		C84E.exe
PID 1200 wrote to memory of 1648	1200		C84E.exe
PID 1648 wrote to memory of 1644	1648	C84E.exe	C84E.exe
PID 1648 wrote to memory of 1644	1648	C84E.exe	C84E.exe
PID 1648 wrote to memory of 1644	1648	C84E.exe	C84E.exe
PID 1648 wrote to memory of 1644	1648	C84E.exe	C84E.exe
PID 1648 wrote to memory of 1644	1648	C84E.exe	C84E.exe
PID 1648 wrote to memory of 1644	1648	C84E.exe	C84E.exe
PID 1648 wrote to memory of 1644	1648	C84E.exe	C84E.exe
PID 1200 wrote to memory of 932	1200		FC89.exe
PID 1200 wrote to memory of 932	1200		FC89.exe
PID 1200 wrote to memory of 932	1200		FC89.exe
PID 1200 wrote to memory of 932	1200		FC89.exe
PID 932 wrote to memory of 1540	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1540	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1540	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1540	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1620	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1620	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1620	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1620	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1620	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1620	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1620	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1620	932	FC89.exe	FC89.exe
PID 932 wrote to memory of 1620	932	FC89.exe	FC89.exe
PID 1200 wrote to memory of 1916	1200		1151.exe
PID 1200 wrote to memory of 1916	1200		1151.exe
PID 1200 wrote to memory of 1916	1200		1151.exe
PID 1200 wrote to memory of 1916	1200		1151.exe
PID 1200 wrote to memory of 612	1200		321B.exe
PID 1200 wrote to memory of 612	1200		321B.exe
PID 1200 wrote to memory of 612	1200		321B.exe
PID 1200 wrote to memory of 612	1200		321B.exe

C:\Users\Admin\AppData\Local\Temp\db2ef30e8f821c8f00456941f5944849.exe
"C:\Users\Admin\AppData\Local\Temp\db2ef30e8f821c8f00456941f5944849.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\db2ef30e8f821c8f00456941f5944849.exe
"C:\Users\Admin\AppData\Local\Temp\db2ef30e8f821c8f00456941f5944849.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:704

C:\Users\Admin\AppData\Local\Temp\C84E.exe
C:\Users\Admin\AppData\Local\Temp\C84E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\C84E.exe
C:\Users\Admin\AppData\Local\Temp\C84E.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1644

C:\Users\Admin\AppData\Local\Temp\FC89.exe
C:\Users\Admin\AppData\Local\Temp\FC89.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\FC89.exe
"C:\Users\Admin\AppData\Local\Temp\FC89.exe"
2⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Temp\FC89.exe
"C:\Users\Admin\AppData\Local\Temp\FC89.exe"
2⤵
- Executes dropped EXE
PID:1620

C:\Users\Admin\AppData\Local\Temp\1151.exe
C:\Users\Admin\AppData\Local\Temp\1151.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1916

C:\Users\Admin\AppData\Local\Temp\321B.exe
C:\Users\Admin\AppData\Local\Temp\321B.exe
1⤵
- Executes dropped EXE
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1151.exe
MD5
08cb82859479b33dc1d0738b985db28c

SHA1
2162cec3e4a16e4b9c610004011473965cf300f8

SHA256
8db223a1ffa1b3b3788ee9f0e050cc64f7b5cbefa8745e95e00391f7babcce58

SHA512
a69a4eacb8ced14dc55fca39d43d6182fe8d600d4da9fb938298fc151866a26777b45a527bcb2cc099d734111dbeb70224ed16e9b590c8b76b057b905eb7c912

Download Submit
C:\Users\Admin\AppData\Local\Temp\321B.exe
MD5
7bd70ffc35ab8b39fde9bd5faec876db

SHA1
01bb3bf7dd71edbcb81dbfdea0eaa80df35f8443

SHA256
682dec9deb96439e3d921a1bb95cf498729fe8ead7b665a6e17fea7349998cd0

SHA512
88095122f60a9cc515930edc5f7895a1224f4aca0589b85961b657db55a77b8f2ca483a030dd02c6cb65d0e0680df16800a104d5d102c52f316beca26e76dc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\C84E.exe
MD5
db2ef30e8f821c8f00456941f5944849

SHA1
01a08a69f1e8e6d822ece577a9ebe84a0c7f5f60

SHA256
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3

SHA512
7e8a3b0a1c57b3e7e8b6bff850d5cd28bbabca63ba90bca0f7a502e3964de641004388afb1271a01e7bc34ba66d6299e487107869c4bc224bf36d6fb900e72ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\C84E.exe
MD5
db2ef30e8f821c8f00456941f5944849

SHA1
01a08a69f1e8e6d822ece577a9ebe84a0c7f5f60

SHA256
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3

SHA512
7e8a3b0a1c57b3e7e8b6bff850d5cd28bbabca63ba90bca0f7a502e3964de641004388afb1271a01e7bc34ba66d6299e487107869c4bc224bf36d6fb900e72ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\C84E.exe
MD5
db2ef30e8f821c8f00456941f5944849

SHA1
01a08a69f1e8e6d822ece577a9ebe84a0c7f5f60

SHA256
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3

SHA512
7e8a3b0a1c57b3e7e8b6bff850d5cd28bbabca63ba90bca0f7a502e3964de641004388afb1271a01e7bc34ba66d6299e487107869c4bc224bf36d6fb900e72ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC89.exe
MD5
ef9cfb2ddc4af2089df63a761ecc7833

SHA1
2e44dad28f2131822dcd9b7868c11fb1767c3d4b

SHA256
9fd007de870e23deb778b08af3a01e3dfaf9dfc3483496c438ec734b26d26340

SHA512
e95ba94e92470be2b4fcc8fe9e4c128e1e529b3c29c9439fbcfafd972e37bf3ff011b09f7d9fb0ce6e58b39c91f46c5087f433cb9ddda8fa7c319da41427faa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC89.exe
MD5
ef9cfb2ddc4af2089df63a761ecc7833

SHA1
2e44dad28f2131822dcd9b7868c11fb1767c3d4b

SHA256
9fd007de870e23deb778b08af3a01e3dfaf9dfc3483496c438ec734b26d26340

SHA512
e95ba94e92470be2b4fcc8fe9e4c128e1e529b3c29c9439fbcfafd972e37bf3ff011b09f7d9fb0ce6e58b39c91f46c5087f433cb9ddda8fa7c319da41427faa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC89.exe
MD5
ef9cfb2ddc4af2089df63a761ecc7833

SHA1
2e44dad28f2131822dcd9b7868c11fb1767c3d4b

SHA256
9fd007de870e23deb778b08af3a01e3dfaf9dfc3483496c438ec734b26d26340

SHA512
e95ba94e92470be2b4fcc8fe9e4c128e1e529b3c29c9439fbcfafd972e37bf3ff011b09f7d9fb0ce6e58b39c91f46c5087f433cb9ddda8fa7c319da41427faa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC89.exe
MD5
ef9cfb2ddc4af2089df63a761ecc7833

SHA1
2e44dad28f2131822dcd9b7868c11fb1767c3d4b

SHA256
9fd007de870e23deb778b08af3a01e3dfaf9dfc3483496c438ec734b26d26340

SHA512
e95ba94e92470be2b4fcc8fe9e4c128e1e529b3c29c9439fbcfafd972e37bf3ff011b09f7d9fb0ce6e58b39c91f46c5087f433cb9ddda8fa7c319da41427faa2

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\C84E.exe
MD5
db2ef30e8f821c8f00456941f5944849

SHA1
01a08a69f1e8e6d822ece577a9ebe84a0c7f5f60

SHA256
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3

SHA512
7e8a3b0a1c57b3e7e8b6bff850d5cd28bbabca63ba90bca0f7a502e3964de641004388afb1271a01e7bc34ba66d6299e487107869c4bc224bf36d6fb900e72ee

Download Submit
\Users\Admin\AppData\Local\Temp\FC89.exe
MD5
ef9cfb2ddc4af2089df63a761ecc7833

SHA1
2e44dad28f2131822dcd9b7868c11fb1767c3d4b

SHA256
9fd007de870e23deb778b08af3a01e3dfaf9dfc3483496c438ec734b26d26340

SHA512
e95ba94e92470be2b4fcc8fe9e4c128e1e529b3c29c9439fbcfafd972e37bf3ff011b09f7d9fb0ce6e58b39c91f46c5087f433cb9ddda8fa7c319da41427faa2

Download Submit
\Users\Admin\AppData\Local\Temp\FC89.exe
MD5
ef9cfb2ddc4af2089df63a761ecc7833

SHA1
2e44dad28f2131822dcd9b7868c11fb1767c3d4b

SHA256
9fd007de870e23deb778b08af3a01e3dfaf9dfc3483496c438ec734b26d26340

SHA512
e95ba94e92470be2b4fcc8fe9e4c128e1e529b3c29c9439fbcfafd972e37bf3ff011b09f7d9fb0ce6e58b39c91f46c5087f433cb9ddda8fa7c319da41427faa2

Download Submit
memory/612-102-0x0000000002FBB000-0x0000000002FDD000-memory.dmp

Filesize
136KB

Download
memory/612-100-0x0000000000000000-mapping.dmp

Download
memory/704-59-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/704-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/704-58-0x0000000000402DC6-mapping.dmp

Download
memory/752-55-0x000000000028B000-0x000000000029C000-memory.dmp

Filesize
68KB

Download
memory/752-56-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/932-77-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/932-76-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/932-74-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/932-71-0x0000000000000000-mapping.dmp

Download
memory/932-89-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/1200-60-0x0000000002970000-0x0000000002986000-memory.dmp

Filesize
88KB

Download
memory/1200-99-0x0000000003BC0000-0x0000000003BD6000-memory.dmp

Filesize
88KB

Download
memory/1200-70-0x00000000029A0000-0x00000000029B6000-memory.dmp

Filesize
88KB

Download
memory/1620-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1620-83-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1620-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1620-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1620-91-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1620-81-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1620-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1620-86-0x0000000000418D26-mapping.dmp

Download
memory/1644-67-0x0000000000402DC6-mapping.dmp

Download
memory/1648-61-0x0000000000000000-mapping.dmp

Download
memory/1648-63-0x0000000002CDB000-0x0000000002CEC000-memory.dmp

Filesize
68KB

Download
memory/1916-97-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1916-96-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1916-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1916-92-0x0000000000000000-mapping.dmp

Download