redline | da702dc8c9bb7c1448fc8b284a961390466a2a9be3383dc0cd30404ed0dcfef5

Analysis

max time kernel
152s
max time network
127s
platform
windows10_x64
resource
win10-en-20211104
submitted
07-12-2021 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59f19c0c51dd9af08b2f6eacd2f947a9.exe
Size

319KB
MD5

59f19c0c51dd9af08b2f6eacd2f947a9
SHA1

4f93d27337ef53449b797dff32fc27a8d81b75d9
SHA256

da702dc8c9bb7c1448fc8b284a961390466a2a9be3383dc0cd30404ed0dcfef5
SHA512

1d18a8209a5b28946fcfd4d151e56cfe0d456fb43786bdea850f3f7ea3fa44ceb5517981b8e4043c95a5d8124bf8c3618543aa221c3fe093fae13e72c269992c

Score

10^/10

redline smokeloader backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32

Extracted

Family

redline

195.133.47.114:38627

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FD68.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\FD68.exe	family_redline
behavioral2/memory/2340-147-0x0000000000290000-0x00000000002FC000-memory.dmp	family_redline
behavioral2/memory/3864-184-0x00000000013D0000-0x000000000143C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

6B39.exeSmartClock.exeFD68.exe1B70.exe3831.exe4AEF.exe

pid process

2436 6B39.exe
872 SmartClock.exe
760 FD68.exe
2340 1B70.exe
2232 3831.exe
3864 4AEF.exe
Deletes itself 1 IoCs

Processes:

pid process

3016
Drops startup file 1 IoCs

Processes:

6B39.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 6B39.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1B70.exe4AEF.exe

pid process

2340 1B70.exe
3864 4AEF.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3052 2232 WerFault.exe 3831.exe

pid	process
2436	6B39.exe
872	SmartClock.exe
760	FD68.exe
2340	1B70.exe
2232	3831.exe
3864	4AEF.exe

pid	process
3016

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	6B39.exe

pid	process
2340	1B70.exe
3864	4AEF.exe

pid	pid_target	process	target process
3052	2232	WerFault.exe	3831.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

59f19c0c51dd9af08b2f6eacd2f947a9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59f19c0c51dd9af08b2f6eacd2f947a9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59f19c0c51dd9af08b2f6eacd2f947a9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59f19c0c51dd9af08b2f6eacd2f947a9.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

872 SmartClock.exe

pid	process
872	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

59f19c0c51dd9af08b2f6eacd2f947a9.exe

pid	process
2392	59f19c0c51dd9af08b2f6eacd2f947a9.exe
2392	59f19c0c51dd9af08b2f6eacd2f947a9.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

59f19c0c51dd9af08b2f6eacd2f947a9.exe

pid process

2392 59f19c0c51dd9af08b2f6eacd2f947a9.exe

pid	process
3016

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

WerFault.exe1B70.exeFD68.exe4AEF.exe

description	pid	process
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	3052	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	2340	1B70.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	760	FD68.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeDebugPrivilege	3864	4AEF.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

6B39.exe

description	pid	process	target process
PID 3016 wrote to memory of 2436	3016		6B39.exe
PID 3016 wrote to memory of 2436	3016		6B39.exe
PID 3016 wrote to memory of 2436	3016		6B39.exe
PID 2436 wrote to memory of 872	2436	6B39.exe	SmartClock.exe
PID 2436 wrote to memory of 872	2436	6B39.exe	SmartClock.exe
PID 2436 wrote to memory of 872	2436	6B39.exe	SmartClock.exe
PID 3016 wrote to memory of 760	3016		FD68.exe
PID 3016 wrote to memory of 760	3016		FD68.exe
PID 3016 wrote to memory of 760	3016		FD68.exe
PID 3016 wrote to memory of 2340	3016		1B70.exe
PID 3016 wrote to memory of 2340	3016		1B70.exe
PID 3016 wrote to memory of 2340	3016		1B70.exe
PID 3016 wrote to memory of 2232	3016		3831.exe
PID 3016 wrote to memory of 2232	3016		3831.exe
PID 3016 wrote to memory of 3864	3016		4AEF.exe
PID 3016 wrote to memory of 3864	3016		4AEF.exe
PID 3016 wrote to memory of 3864	3016		4AEF.exe

C:\Users\Admin\AppData\Local\Temp\59f19c0c51dd9af08b2f6eacd2f947a9.exe
"C:\Users\Admin\AppData\Local\Temp\59f19c0c51dd9af08b2f6eacd2f947a9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2392

C:\Users\Admin\AppData\Local\Temp\6B39.exe
C:\Users\Admin\AppData\Local\Temp\6B39.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:872

C:\Users\Admin\AppData\Local\Temp\FD68.exe
C:\Users\Admin\AppData\Local\Temp\FD68.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Users\Admin\AppData\Local\Temp\1B70.exe
C:\Users\Admin\AppData\Local\Temp\1B70.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Users\Admin\AppData\Local\Temp\3831.exe
C:\Users\Admin\AppData\Local\Temp\3831.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2232 -s 420
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\AppData\Local\Temp\4AEF.exe
C:\Users\Admin\AppData\Local\Temp\4AEF.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B70.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B70.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\3831.exe
MD5
180fc8466647515a888cba4bdacb60db

SHA1
a6a5201f997c665603c9fe05a1d08add514337a3

SHA256
3c8517c6cfab98c7fdda9f3a53e7178c0a42729a9473d53224788581e42bb116

SHA512
4146285d11141ac567e0c574c3aa4f19201ad9825b2a605f5022a4305ac9860529bb4443ea80ac5ccb0e51873fa802c7d6fa8d13ac195cd35519b82ba3c3fa1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3831.exe
MD5
180fc8466647515a888cba4bdacb60db

SHA1
a6a5201f997c665603c9fe05a1d08add514337a3

SHA256
3c8517c6cfab98c7fdda9f3a53e7178c0a42729a9473d53224788581e42bb116

SHA512
4146285d11141ac567e0c574c3aa4f19201ad9825b2a605f5022a4305ac9860529bb4443ea80ac5ccb0e51873fa802c7d6fa8d13ac195cd35519b82ba3c3fa1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AEF.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AEF.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B39.exe
MD5
7fcebf4307160681aeb56cd499a7a8f1

SHA1
12b2bfa96f466ee8dcebd7bf5a0d37a78667984d

SHA256
0a594e79222fe26dd5e642b08d400a2a88f7c9bb935cd27224e754ec671fefd2

SHA512
8045cedb8e0a8a07819dfce9e56c7c9a227e0a1f953ed162f5654cc0a969c6be320283b4eafed17c2c3978d18a2d93faa666b0dce2b48ea31e7edeb06bef65bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B39.exe
MD5
7fcebf4307160681aeb56cd499a7a8f1

SHA1
12b2bfa96f466ee8dcebd7bf5a0d37a78667984d

SHA256
0a594e79222fe26dd5e642b08d400a2a88f7c9bb935cd27224e754ec671fefd2

SHA512
8045cedb8e0a8a07819dfce9e56c7c9a227e0a1f953ed162f5654cc0a969c6be320283b4eafed17c2c3978d18a2d93faa666b0dce2b48ea31e7edeb06bef65bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD68.exe
MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD68.exe
MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
7fcebf4307160681aeb56cd499a7a8f1

SHA1
12b2bfa96f466ee8dcebd7bf5a0d37a78667984d

SHA256
0a594e79222fe26dd5e642b08d400a2a88f7c9bb935cd27224e754ec671fefd2

SHA512
8045cedb8e0a8a07819dfce9e56c7c9a227e0a1f953ed162f5654cc0a969c6be320283b4eafed17c2c3978d18a2d93faa666b0dce2b48ea31e7edeb06bef65bd

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
7fcebf4307160681aeb56cd499a7a8f1

SHA1
12b2bfa96f466ee8dcebd7bf5a0d37a78667984d

SHA256
0a594e79222fe26dd5e642b08d400a2a88f7c9bb935cd27224e754ec671fefd2

SHA512
8045cedb8e0a8a07819dfce9e56c7c9a227e0a1f953ed162f5654cc0a969c6be320283b4eafed17c2c3978d18a2d93faa666b0dce2b48ea31e7edeb06bef65bd

Download Submit
memory/760-140-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/760-156-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/760-162-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/760-133-0x0000000000000000-mapping.dmp

Download
memory/760-164-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/760-166-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/760-136-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/760-138-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/760-139-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/760-170-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/760-141-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/760-142-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/760-143-0x0000000005450000-0x0000000005A56000-memory.dmp

Filesize
6.0MB

Download
memory/760-165-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/760-169-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/872-131-0x00000000005C1000-0x0000000000641000-memory.dmp

Filesize
512KB

Download
memory/872-128-0x0000000000000000-mapping.dmp

Download
memory/872-132-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2232-172-0x0000000000000000-mapping.dmp

Download
memory/2340-147-0x0000000000290000-0x00000000002FC000-memory.dmp

Filesize
432KB

Download
memory/2340-168-0x000000006FDA0000-0x000000006FDEB000-memory.dmp

Filesize
300KB

Download
memory/2340-144-0x0000000000000000-mapping.dmp

Download
memory/2340-158-0x00000000022F0000-0x0000000002335000-memory.dmp

Filesize
276KB

Download
memory/2340-149-0x0000000074080000-0x0000000074242000-memory.dmp

Filesize
1.8MB

Download
memory/2340-160-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2340-161-0x00000000766F0000-0x0000000076C74000-memory.dmp

Filesize
5.5MB

Download
memory/2340-148-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2340-153-0x0000000071B50000-0x0000000071BD0000-memory.dmp

Filesize
512KB

Download
memory/2340-151-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2340-150-0x0000000073B40000-0x0000000073C31000-memory.dmp

Filesize
964KB

Download
memory/2340-163-0x00000000744F0000-0x0000000075838000-memory.dmp

Filesize
19.3MB

Download
memory/2392-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2392-118-0x00000000006C1000-0x00000000006D2000-memory.dmp

Filesize
68KB

Download
memory/2392-120-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2436-126-0x0000000000740000-0x00000000007D1000-memory.dmp

Filesize
580KB

Download
memory/2436-125-0x0000000000861000-0x00000000008E1000-memory.dmp

Filesize
512KB

Download
memory/2436-122-0x0000000000000000-mapping.dmp

Download
memory/2436-127-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3016-121-0x0000000001260000-0x0000000001276000-memory.dmp

Filesize
88KB

Download
memory/3864-181-0x0000000000000000-mapping.dmp

Download
memory/3864-184-0x00000000013D0000-0x000000000143C000-memory.dmp

Filesize
432KB

Download
memory/3864-185-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/3864-186-0x0000000074080000-0x0000000074242000-memory.dmp

Filesize
1.8MB

Download
memory/3864-187-0x0000000073B40000-0x0000000073C31000-memory.dmp

Filesize
964KB

Download
memory/3864-188-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/3864-190-0x0000000071940000-0x00000000719C0000-memory.dmp

Filesize
512KB

Download
memory/3864-195-0x00000000766F0000-0x0000000076C74000-memory.dmp

Filesize
5.5MB

Download
memory/3864-196-0x0000000001380000-0x00000000013C5000-memory.dmp

Filesize
276KB

Download
memory/3864-198-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/3864-197-0x00000000744F0000-0x0000000075838000-memory.dmp

Filesize
19.3MB

Download
memory/3864-199-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/3864-200-0x000000006FB90000-0x000000006FBDB000-memory.dmp

Filesize
300KB

Download