redline | bfb63daf8e5d09c7a464bfec38d2d5e4737bd3d2c04974616ef46b5ffddcc8f1

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7-en-20211208
submitted
10-12-2021 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03090cd1bd177ae33407bf0660045ed.exe
Size

219KB
MD5

b03090cd1bd177ae33407bf0660045ed
SHA1

2813830526d47eda025534dcf6956b468b340dcd
SHA256

bfb63daf8e5d09c7a464bfec38d2d5e4737bd3d2c04974616ef46b5ffddcc8f1
SHA512

b4b107b6edb252369e850c31fb6dd04616236bf3f44298b2e85d09d47f7167d870d625012dfae070f8f10ed6431712aff5c58ff68a0bbcdb2b6a62843e72f037

Score

10^/10

redline smokeloader backdoor infostealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/584-63-0x0000000000CC0000-0x0000000000D2C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

3756.exe497F.exevtfwrgb

pid process

584 3756.exe
1788 497F.exe
1768 vtfwrgb
Deletes itself 1 IoCs

Processes:

pid process

1220
Loads dropped DLL 4 IoCs

Processes:

pid process

1220
1220
1220
1220
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

3756.exe

pid process

584 3756.exe

pid	process
584	3756.exe
1788	497F.exe
1768	vtfwrgb

pid	process
1220

pid	process
1220
1220
1220
1220

pid	process
584	3756.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vtfwrgbb03090cd1bd177ae33407bf0660045ed.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vtfwrgb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b03090cd1bd177ae33407bf0660045ed.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b03090cd1bd177ae33407bf0660045ed.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b03090cd1bd177ae33407bf0660045ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vtfwrgb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vtfwrgb

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b03090cd1bd177ae33407bf0660045ed.exe

pid	process
748	b03090cd1bd177ae33407bf0660045ed.exe
748	b03090cd1bd177ae33407bf0660045ed.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1220
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

b03090cd1bd177ae33407bf0660045ed.exevtfwrgb

pid process

748 b03090cd1bd177ae33407bf0660045ed.exe
1768 vtfwrgb

pid	process
1220

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeShutdownPrivilege	1220
Token: SeShutdownPrivilege	1220
Token: SeShutdownPrivilege	1220

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1220
1220
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1220
1220

pid	process
1220
1220

pid	process
1220
1220

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

497F.exepowershell.execsc.exetaskeng.exe

description	pid	process	target process
PID 1220 wrote to memory of 584	1220		3756.exe
PID 1220 wrote to memory of 584	1220		3756.exe
PID 1220 wrote to memory of 584	1220		3756.exe
PID 1220 wrote to memory of 584	1220		3756.exe
PID 1220 wrote to memory of 584	1220		3756.exe
PID 1220 wrote to memory of 584	1220		3756.exe
PID 1220 wrote to memory of 584	1220		3756.exe
PID 1220 wrote to memory of 1788	1220		497F.exe
PID 1220 wrote to memory of 1788	1220		497F.exe
PID 1220 wrote to memory of 1788	1220		497F.exe
PID 1788 wrote to memory of 1004	1788	497F.exe	powershell.exe
PID 1788 wrote to memory of 1004	1788	497F.exe	powershell.exe
PID 1788 wrote to memory of 1004	1788	497F.exe	powershell.exe
PID 1004 wrote to memory of 1288	1004	powershell.exe	csc.exe
PID 1004 wrote to memory of 1288	1004	powershell.exe	csc.exe
PID 1004 wrote to memory of 1288	1004	powershell.exe	csc.exe
PID 1288 wrote to memory of 1512	1288	csc.exe	cvtres.exe
PID 1288 wrote to memory of 1512	1288	csc.exe	cvtres.exe
PID 1288 wrote to memory of 1512	1288	csc.exe	cvtres.exe
PID 1020 wrote to memory of 1768	1020	taskeng.exe	vtfwrgb
PID 1020 wrote to memory of 1768	1020	taskeng.exe	vtfwrgb
PID 1020 wrote to memory of 1768	1020	taskeng.exe	vtfwrgb
PID 1020 wrote to memory of 1768	1020	taskeng.exe	vtfwrgb

C:\Users\Admin\AppData\Local\Temp\b03090cd1bd177ae33407bf0660045ed.exe
"C:\Users\Admin\AppData\Local\Temp\b03090cd1bd177ae33407bf0660045ed.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:748

C:\Users\Admin\AppData\Local\Temp\3756.exe
C:\Users\Admin\AppData\Local\Temp\3756.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:584

C:\Users\Admin\AppData\Local\Temp\497F.exe
C:\Users\Admin\AppData\Local\Temp\497F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnvwamt2.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A0A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC69F9.tmp"
4⤵
PID:1512

C:\Windows\system32\taskeng.exe
taskeng.exe {7F067BC3-C74C-4A81-8C8B-963CAE929EDE} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Roaming\vtfwrgb
C:\Users\Admin\AppData\Roaming\vtfwrgb
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3756.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\3756.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\497F.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6A0A.tmp
MD5
e2ad0df8541ee1c6f14b356edfbabe99

SHA1
fa9e758a55d39635c18f25affd4d7e4d518d69a2

SHA256
c9784f8faca827dc7822a27a1a1bf0c92a94732a1c2354df127c7def8a60ebe7

SHA512
826839265da4f839bf3f1111c41a8a07acd53edb9ba30b8ca5230a351051f084552b381e173377726de163594b1810afa1474dad4ac4783877aab4155c458359

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
MD5
854b2dfc0a28f2959b1d2fc363a4e318

SHA1
ce1753052c5bdad56708ec75d8085b2c597df6c1

SHA256
7135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c

SHA512
b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnvwamt2.dll
MD5
db2cb03e6cf451ba2ef535d06f2f64c0

SHA1
46fe6c046284f816e299e77038c2e30a69d80190

SHA256
e7a8462852aa8b6ded09afc09f093d6b910a8872f6b79bcbac6de5f392be80ac

SHA512
859fa4dbf19dc7daa3e299e4e72a32efe3a7f66a9f1cee6fdfb7cc6963bfd3339903d4df4ce0c05412317b008de3d33280c00ca3f36c17d75342670e1fb5c894

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnvwamt2.pdb
MD5
6d368ba5e74f18e7f82b97f669425d0f

SHA1
ae5cc6fd3839462f3fba187394d04b80c17f414d

SHA256
fca8e20b762a2eeb548abda866c5113c61f4c8f89a2303c2c5fa1c94d17099b1

SHA512
9c7f8889d092ac5bda7e9e655d7cedda71c76827a434be9f3435cb296799b2b3c87d1c9bdad4e94ed384300bef87248f78f6cbbbb2f277db87c09279a38afc88

Download Submit
C:\Users\Admin\AppData\Roaming\vtfwrgb
MD5
b03090cd1bd177ae33407bf0660045ed

SHA1
2813830526d47eda025534dcf6956b468b340dcd

SHA256
bfb63daf8e5d09c7a464bfec38d2d5e4737bd3d2c04974616ef46b5ffddcc8f1

SHA512
b4b107b6edb252369e850c31fb6dd04616236bf3f44298b2e85d09d47f7167d870d625012dfae070f8f10ed6431712aff5c58ff68a0bbcdb2b6a62843e72f037

Download Submit
C:\Users\Admin\AppData\Roaming\vtfwrgb
MD5
b03090cd1bd177ae33407bf0660045ed

SHA1
2813830526d47eda025534dcf6956b468b340dcd

SHA256
bfb63daf8e5d09c7a464bfec38d2d5e4737bd3d2c04974616ef46b5ffddcc8f1

SHA512
b4b107b6edb252369e850c31fb6dd04616236bf3f44298b2e85d09d47f7167d870d625012dfae070f8f10ed6431712aff5c58ff68a0bbcdb2b6a62843e72f037

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC69F9.tmp
MD5
5833f069d391c0a4cf637f17645134a7

SHA1
cab561146e46ecf47bc3bbf3cc7fa5bc1e5b8487

SHA256
b32d4a1a9331ba5bce8184524437e0f84c5120c9407e69944ec306dc74a8c2c9

SHA512
1b6db94f9fb0ca602a24f17361fe928ab8dc36a6c4575ddf91626fe92ade9df4af7de529d8150b9136c7e1bc846c345962af451052dae11db5bc55cf31e708a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tnvwamt2.0.cs
MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tnvwamt2.cmdline
MD5
e715c72c511212dde162a2f40809c599

SHA1
9f40c361069ed6e1c168ff063e916c0c718f7024

SHA256
b38be208efc42d9d51570b59ce78c9666fd471b05dcbc83e04efeba254688534

SHA512
42eeb9751fce677c3f367fc7561306411a0e591f2cd661271b4122ccb1b777b10d77bb7285d9ae064928869c44041ca91457dc81329b60bb4ef68bb2d1494bfb

Download Submit
\Users\Admin\AppData\Local\Temp\497F.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
\Users\Admin\AppData\Local\Temp\497F.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
\Users\Admin\AppData\Local\Temp\497F.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
\Users\Admin\AppData\Local\Temp\497F.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
memory/584-70-0x0000000076720000-0x000000007687C000-memory.dmp

Filesize
1.4MB

Download
memory/584-77-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/584-76-0x00000000754B0000-0x00000000760FA000-memory.dmp

Filesize
12.3MB

Download
memory/584-78-0x000000006F190000-0x000000006F1A7000-memory.dmp

Filesize
92KB

Download
memory/584-79-0x00000000762E0000-0x0000000076315000-memory.dmp

Filesize
212KB

Download
memory/584-73-0x0000000075020000-0x00000000750AF000-memory.dmp

Filesize
572KB

Download
memory/584-58-0x0000000000000000-mapping.dmp

Download
memory/584-74-0x0000000000350000-0x0000000000395000-memory.dmp

Filesize
276KB

Download
memory/584-71-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/584-62-0x00000000746B0000-0x00000000746FA000-memory.dmp

Filesize
296KB

Download
memory/584-63-0x0000000000CC0000-0x0000000000D2C000-memory.dmp

Filesize
432KB

Download
memory/584-64-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/584-66-0x00000000750B0000-0x000000007515C000-memory.dmp

Filesize
688KB

Download
memory/584-67-0x0000000076880000-0x00000000768C7000-memory.dmp

Filesize
284KB

Download
memory/584-68-0x0000000075160000-0x00000000751B7000-memory.dmp

Filesize
348KB

Download
memory/748-53-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/748-55-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/748-54-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/748-56-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/1004-109-0x00000000024BD000-0x00000000024BE000-memory.dmp

Filesize
4KB

Download
memory/1004-95-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1004-93-0x0000000002490000-0x0000000002492000-memory.dmp

Filesize
8KB

Download
memory/1004-94-0x0000000002492000-0x0000000002494000-memory.dmp

Filesize
8KB

Download
memory/1004-96-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1004-91-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

Filesize
8KB

Download
memory/1004-98-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1004-90-0x0000000000000000-mapping.dmp

Download
memory/1004-92-0x000007FEEB070000-0x000007FEEBBCD000-memory.dmp

Filesize
11.4MB

Download
memory/1220-57-0x0000000002B10000-0x0000000002B26000-memory.dmp

Filesize
88KB

Download
memory/1220-117-0x0000000004540000-0x0000000004556000-memory.dmp

Filesize
88KB

Download
memory/1288-108-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/1288-99-0x0000000000000000-mapping.dmp

Download
memory/1512-102-0x0000000000000000-mapping.dmp

Download
memory/1768-111-0x0000000000000000-mapping.dmp

Download
memory/1768-116-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/1788-87-0x0000000040FC4000-0x0000000040FC6000-memory.dmp

Filesize
8KB

Download
memory/1788-84-0x0000000041310000-0x00000000415DF000-memory.dmp

Filesize
2.8MB

Download
memory/1788-82-0x0000000000000000-mapping.dmp

Download
memory/1788-86-0x0000000040FC2000-0x0000000040FC4000-memory.dmp

Filesize
8KB

Download
memory/1788-88-0x0000000040FC6000-0x0000000040FC7000-memory.dmp

Filesize
4KB

Download
memory/1788-89-0x0000000040FC7000-0x0000000040FC8000-memory.dmp

Filesize
4KB

Download