redline | cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33

General

Target

cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe
Size

341KB
MD5

0c2c37017fbc1b929c9f69ba4dd8a155
SHA1

e5f2442c7e1bdef1e9319686b60c842804bf6469
SHA256

cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33
SHA512

28e6136f937c5abc108fa1c856240ee674e3a6a913cf21ce3ef817d2a23397af2fdc83c08737b4a4f9aa5651e281652a75af5e3ae81e06d86421a0923134e687

Score

10^/10

redline smokeloader systembc backdoor infostealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32

Extracted

Family

redline

C2

195.133.47.114:38627

Extracted

Family

systembc

C2

185.209.30.180:4001

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BA63.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\BA63.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

BA63.exe5C22.exe5C22.exe

pid process

740 BA63.exe
4544 5C22.exe
800 5C22.exe
Deletes itself 1 IoCs

Processes:

pid process

3020
Drops file in Windows directory 2 IoCs

Processes:

5C22.exe

description ioc process

File created C:\Windows\Tasks\wow64.job 5C22.exe
File opened for modification C:\Windows\Tasks\wow64.job 5C22.exe

pid	process
740	BA63.exe
4544	5C22.exe
800	5C22.exe

pid	process
3020

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	5C22.exe
File opened for modification	C:\Windows\Tasks\wow64.job	5C22.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe

pid	process
3548	cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe
3548	cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3020
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe

pid process

3548 cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe

pid	process
3020

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

description	pid	target process
PID 3020 wrote to memory of 740	3020	BA63.exe
PID 3020 wrote to memory of 740	3020	BA63.exe
PID 3020 wrote to memory of 740	3020	BA63.exe
PID 3020 wrote to memory of 4544	3020	5C22.exe
PID 3020 wrote to memory of 4544	3020	5C22.exe
PID 3020 wrote to memory of 4544	3020	5C22.exe

C:\Users\Admin\AppData\Local\Temp\cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe
"C:\Users\Admin\AppData\Local\Temp\cc314098116588eacaf0c8a3cbba68ad92ab76f19ed2b63f61f4981fe861da33.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3548

C:\Users\Admin\AppData\Local\Temp\BA63.exe
C:\Users\Admin\AppData\Local\Temp\BA63.exe
1⤵
- Executes dropped EXE
PID:740

C:\Users\Admin\AppData\Local\Temp\5C22.exe
C:\Users\Admin\AppData\Local\Temp\5C22.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4544

C:\Users\Admin\AppData\Local\Temp\5C22.exe
C:\Users\Admin\AppData\Local\Temp\5C22.exe start
1⤵
- Executes dropped EXE
PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5C22.exe

MD5
fd4e0205ce36f99ff343a78ec3e251bc

SHA1
b633df31339acb69f708a41fd227298420fd4036

SHA256
617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075

SHA512
f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C22.exe

MD5
fd4e0205ce36f99ff343a78ec3e251bc

SHA1
b633df31339acb69f708a41fd227298420fd4036

SHA256
617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075

SHA512
f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C22.exe

MD5
fd4e0205ce36f99ff343a78ec3e251bc

SHA1
b633df31339acb69f708a41fd227298420fd4036

SHA256
617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075

SHA512
f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA63.exe

MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA63.exe

MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
memory/740-128-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/740-119-0x0000000000000000-mapping.dmp

Download
memory/740-124-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/740-125-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/740-126-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/740-127-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/740-122-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/740-129-0x0000000005350000-0x0000000005956000-memory.dmp

Filesize
6.0MB

Download
memory/800-138-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/800-139-0x0000000000400000-0x0000000002B74000-memory.dmp

Filesize
39.5MB

Download
memory/800-137-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/3020-118-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/3548-116-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3548-117-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4544-130-0x0000000000000000-mapping.dmp

Download
memory/4544-136-0x0000000000400000-0x0000000002B74000-memory.dmp

Filesize
39.5MB

Download
memory/4544-134-0x0000000002BB0000-0x0000000002BB5000-memory.dmp

Filesize
20KB

Download
memory/4544-133-0x0000000002BA0000-0x0000000002BA6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads