redline | 88e66423a3a96f03441102060b775e35d0e401a3e4f74e1c3e54f9bfdcd06258

Analysis

max time kernel
152s
max time network
152s
platform
windows7_x64
resource
win7-en-20211104
submitted
07-12-2021 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

345eaa8379ef8daed16ebc210e7c0165.exe
Size

319KB
MD5

345eaa8379ef8daed16ebc210e7c0165
SHA1

c9278fe7bf96f97556527782f271a554a8b73a68
SHA256

88e66423a3a96f03441102060b775e35d0e401a3e4f74e1c3e54f9bfdcd06258
SHA512

1a094d8070c0243fcbdef5ff8361192ae7e98f396072f28105b70680b2b7386d3afad64f8f784d5d5e1d54f690b0cb2871e0929c1aad0ad64c543d68dc2b0b5b

Score

10^/10

redline smokeloader backdoor infostealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32

Extracted

Family

redline

195.133.47.114:38627

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1236-78-0x0000000001210000-0x0000000001278000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\B2A.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\B2A.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

D1A1.exeSmartClock.exeF3C2.exeB2A.exe

pid process

1664 D1A1.exe
1552 SmartClock.exe
1236 F3C2.exe
2016 B2A.exe
Deletes itself 1 IoCs

Processes:

pid process

1368
Drops startup file 1 IoCs

Processes:

D1A1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk D1A1.exe
Loads dropped DLL 3 IoCs

Processes:

D1A1.exe

pid process

1664 D1A1.exe
1664 D1A1.exe
1664 D1A1.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

F3C2.exe

pid process

1236 F3C2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1664	D1A1.exe
1552	SmartClock.exe
1236	F3C2.exe
2016	B2A.exe

pid	process
1368

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	D1A1.exe

pid	process
1664	D1A1.exe
1664	D1A1.exe
1664	D1A1.exe

pid	process
1236	F3C2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

345eaa8379ef8daed16ebc210e7c0165.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	345eaa8379ef8daed16ebc210e7c0165.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	345eaa8379ef8daed16ebc210e7c0165.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	345eaa8379ef8daed16ebc210e7c0165.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1552 SmartClock.exe

pid	process
1552	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

345eaa8379ef8daed16ebc210e7c0165.exe

pid	process
452	345eaa8379ef8daed16ebc210e7c0165.exe
452	345eaa8379ef8daed16ebc210e7c0165.exe
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1368
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

345eaa8379ef8daed16ebc210e7c0165.exe

pid process

452 345eaa8379ef8daed16ebc210e7c0165.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1368
1368
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1368
1368
1368
1368

pid	process
1368

pid	process
1368
1368

pid	process
1368
1368
1368
1368

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

D1A1.exe

description	pid	process	target process
PID 1368 wrote to memory of 1664	1368		D1A1.exe
PID 1368 wrote to memory of 1664	1368		D1A1.exe
PID 1368 wrote to memory of 1664	1368		D1A1.exe
PID 1368 wrote to memory of 1664	1368		D1A1.exe
PID 1664 wrote to memory of 1552	1664	D1A1.exe	SmartClock.exe
PID 1664 wrote to memory of 1552	1664	D1A1.exe	SmartClock.exe
PID 1664 wrote to memory of 1552	1664	D1A1.exe	SmartClock.exe
PID 1664 wrote to memory of 1552	1664	D1A1.exe	SmartClock.exe
PID 1368 wrote to memory of 1236	1368		F3C2.exe
PID 1368 wrote to memory of 1236	1368		F3C2.exe
PID 1368 wrote to memory of 1236	1368		F3C2.exe
PID 1368 wrote to memory of 1236	1368		F3C2.exe
PID 1368 wrote to memory of 1236	1368		F3C2.exe
PID 1368 wrote to memory of 1236	1368		F3C2.exe
PID 1368 wrote to memory of 1236	1368		F3C2.exe
PID 1368 wrote to memory of 2016	1368		B2A.exe
PID 1368 wrote to memory of 2016	1368		B2A.exe
PID 1368 wrote to memory of 2016	1368		B2A.exe
PID 1368 wrote to memory of 2016	1368		B2A.exe

C:\Users\Admin\AppData\Local\Temp\345eaa8379ef8daed16ebc210e7c0165.exe
"C:\Users\Admin\AppData\Local\Temp\345eaa8379ef8daed16ebc210e7c0165.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:452

C:\Users\Admin\AppData\Local\Temp\D1A1.exe
C:\Users\Admin\AppData\Local\Temp\D1A1.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1552

C:\Users\Admin\AppData\Local\Temp\F3C2.exe
C:\Users\Admin\AppData\Local\Temp\F3C2.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1236

C:\Users\Admin\AppData\Local\Temp\B2A.exe
C:\Users\Admin\AppData\Local\Temp\B2A.exe
1⤵
- Executes dropped EXE
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B2A.exe
MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2A.exe
MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1A1.exe
MD5
ad8f4c6461affa64e60a9bab7f996b36

SHA1
cdb36ffc32f72e55f4f44d72cdd3f56aa949d8e2

SHA256
a0dcf1dd6746864b884620af57235b5569f36abecea94bfc5f3064c67c6d1afb

SHA512
8e03f54ebf17e4caef253eabaf15927c724971f8dcc614ea4ad4cc9ca717cb86ab242bc4ec6377622fee1856614ace94411135c7922d0ccf5213aba996d77eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1A1.exe
MD5
ad8f4c6461affa64e60a9bab7f996b36

SHA1
cdb36ffc32f72e55f4f44d72cdd3f56aa949d8e2

SHA256
a0dcf1dd6746864b884620af57235b5569f36abecea94bfc5f3064c67c6d1afb

SHA512
8e03f54ebf17e4caef253eabaf15927c724971f8dcc614ea4ad4cc9ca717cb86ab242bc4ec6377622fee1856614ace94411135c7922d0ccf5213aba996d77eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3C2.exe
MD5
77ce7ab11225c5e723b7b1be0308e8c0

SHA1
709a8df1d49f28cf8c293694bbbbd0f07735829b

SHA256
d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496

SHA512
f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3C2.exe
MD5
77ce7ab11225c5e723b7b1be0308e8c0

SHA1
709a8df1d49f28cf8c293694bbbbd0f07735829b

SHA256
d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496

SHA512
f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
MD5
68ff04f9e4cceae53d21ff35fd756c77

SHA1
24a97745b875c8979a99c38f5aedb37d6647fa26

SHA256
edb2fe86bd038ed3fa8303cc4b29aa1c4db59232f754471654146bf77a6ed27d

SHA512
7dbd6ece188d888c981fe0641360c5cd99af49313c63cc7bf0e877f76c2d2db4bab72aa3cd1966a8c0e2331050dc0053bc37f686cbd3283ba3e67414030661d1

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
ad8f4c6461affa64e60a9bab7f996b36

SHA1
cdb36ffc32f72e55f4f44d72cdd3f56aa949d8e2

SHA256
a0dcf1dd6746864b884620af57235b5569f36abecea94bfc5f3064c67c6d1afb

SHA512
8e03f54ebf17e4caef253eabaf15927c724971f8dcc614ea4ad4cc9ca717cb86ab242bc4ec6377622fee1856614ace94411135c7922d0ccf5213aba996d77eba

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
ad8f4c6461affa64e60a9bab7f996b36

SHA1
cdb36ffc32f72e55f4f44d72cdd3f56aa949d8e2

SHA256
a0dcf1dd6746864b884620af57235b5569f36abecea94bfc5f3064c67c6d1afb

SHA512
8e03f54ebf17e4caef253eabaf15927c724971f8dcc614ea4ad4cc9ca717cb86ab242bc4ec6377622fee1856614ace94411135c7922d0ccf5213aba996d77eba

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
ad8f4c6461affa64e60a9bab7f996b36

SHA1
cdb36ffc32f72e55f4f44d72cdd3f56aa949d8e2

SHA256
a0dcf1dd6746864b884620af57235b5569f36abecea94bfc5f3064c67c6d1afb

SHA512
8e03f54ebf17e4caef253eabaf15927c724971f8dcc614ea4ad4cc9ca717cb86ab242bc4ec6377622fee1856614ace94411135c7922d0ccf5213aba996d77eba

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
ad8f4c6461affa64e60a9bab7f996b36

SHA1
cdb36ffc32f72e55f4f44d72cdd3f56aa949d8e2

SHA256
a0dcf1dd6746864b884620af57235b5569f36abecea94bfc5f3064c67c6d1afb

SHA512
8e03f54ebf17e4caef253eabaf15927c724971f8dcc614ea4ad4cc9ca717cb86ab242bc4ec6377622fee1856614ace94411135c7922d0ccf5213aba996d77eba

Download Submit
memory/452-55-0x0000000000588000-0x0000000000599000-memory.dmp

Filesize
68KB

Download
memory/452-58-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/452-57-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/452-56-0x0000000075461000-0x0000000075463000-memory.dmp

Filesize
8KB

Download
memory/1236-86-0x0000000075250000-0x00000000753AC000-memory.dmp

Filesize
1.4MB

Download
memory/1236-89-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1236-73-0x0000000000000000-mapping.dmp

Download
memory/1236-91-0x0000000074B40000-0x0000000074BCF000-memory.dmp

Filesize
572KB

Download
memory/1236-94-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/1236-77-0x0000000074870000-0x00000000748BA000-memory.dmp

Filesize
296KB

Download
memory/1236-78-0x0000000001210000-0x0000000001278000-memory.dmp

Filesize
416KB

Download
memory/1236-79-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1236-82-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/1236-81-0x0000000076AF0000-0x0000000076B9C000-memory.dmp

Filesize
688KB

Download
memory/1236-83-0x0000000076A90000-0x0000000076AD7000-memory.dmp

Filesize
284KB

Download
memory/1236-84-0x0000000075400000-0x0000000075457000-memory.dmp

Filesize
348KB

Download
memory/1368-59-0x00000000029A0000-0x00000000029B6000-memory.dmp

Filesize
88KB

Download
memory/1552-87-0x0000000000728000-0x00000000007A8000-memory.dmp

Filesize
512KB

Download
memory/1552-70-0x0000000000000000-mapping.dmp

Download
memory/1552-93-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1664-66-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1664-65-0x0000000000330000-0x00000000003C1000-memory.dmp

Filesize
580KB

Download
memory/1664-62-0x0000000000668000-0x00000000006E8000-memory.dmp

Filesize
512KB

Download
memory/1664-60-0x0000000000000000-mapping.dmp

Download
memory/2016-95-0x0000000000000000-mapping.dmp

Download
memory/2016-99-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download