redline | 2d0bd38ea59864cdcd710759abea3f670449eb4505b54c8a8d22128691deefc1

General

Target

59ddabdcb5b43bbc66bbec89123d2627.exe
Size

265KB
MD5

59ddabdcb5b43bbc66bbec89123d2627
SHA1

6c33dde51d6b45319ad99408c10f6ad8b1340e2f
SHA256

2d0bd38ea59864cdcd710759abea3f670449eb4505b54c8a8d22128691deefc1
SHA512

56463528dc37c141519535140a24d0ce02ca2227ef8c302494e422109e5d6b83a5d6ac5f2b698838e29661cd9dd986d9a2dc0f7c3c4f025f5283cebca052b8b3

Score

10^/10

redline smokeloader sewpalpadin backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

rc4.i32

Extracted

Family

redline

Botnet

Sewpalpadin

C2

185.215.113.29:34865

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1484-65-0x0000000000560000-0x0000000000594000-memory.dmp	family_redline
behavioral1/memory/1484-66-0x0000000000640000-0x0000000000672000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

737B.exetfdsddvtfdsddvtfdsddv

pid process

1484 737B.exe
1580 tfdsddv
812 tfdsddv
1532 tfdsddv
Deletes itself 1 IoCs

Processes:

pid process

1232
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1484	737B.exe
1580	tfdsddv
812	tfdsddv
1532	tfdsddv

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

59ddabdcb5b43bbc66bbec89123d2627.exetfdsddvtfdsddvtfdsddv

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59ddabdcb5b43bbc66bbec89123d2627.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59ddabdcb5b43bbc66bbec89123d2627.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tfdsddv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tfdsddv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tfdsddv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tfdsddv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tfdsddv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59ddabdcb5b43bbc66bbec89123d2627.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tfdsddv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tfdsddv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tfdsddv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tfdsddv

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

59ddabdcb5b43bbc66bbec89123d2627.exe

pid	process
1744	59ddabdcb5b43bbc66bbec89123d2627.exe
1744	59ddabdcb5b43bbc66bbec89123d2627.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1232
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

59ddabdcb5b43bbc66bbec89123d2627.exetfdsddvtfdsddvtfdsddv

pid process

1744 59ddabdcb5b43bbc66bbec89123d2627.exe
1580 tfdsddv
812 tfdsddv
1532 tfdsddv

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

737B.exe

description	pid	process
Token: SeDebugPrivilege	1484	737B.exe
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1232
1232
1232
1232

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

pid	process
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

taskeng.exetaskeng.exetaskeng.exe

description	pid	process	target process
PID 1232 wrote to memory of 1484	1232		737B.exe
PID 1232 wrote to memory of 1484	1232		737B.exe
PID 1232 wrote to memory of 1484	1232		737B.exe
PID 1232 wrote to memory of 1484	1232		737B.exe
PID 892 wrote to memory of 1580	892	taskeng.exe	tfdsddv
PID 892 wrote to memory of 1580	892	taskeng.exe	tfdsddv
PID 892 wrote to memory of 1580	892	taskeng.exe	tfdsddv
PID 892 wrote to memory of 1580	892	taskeng.exe	tfdsddv
PID 1188 wrote to memory of 812	1188	taskeng.exe	tfdsddv
PID 1188 wrote to memory of 812	1188	taskeng.exe	tfdsddv
PID 1188 wrote to memory of 812	1188	taskeng.exe	tfdsddv
PID 1188 wrote to memory of 812	1188	taskeng.exe	tfdsddv
PID 1780 wrote to memory of 1532	1780	taskeng.exe	tfdsddv
PID 1780 wrote to memory of 1532	1780	taskeng.exe	tfdsddv
PID 1780 wrote to memory of 1532	1780	taskeng.exe	tfdsddv
PID 1780 wrote to memory of 1532	1780	taskeng.exe	tfdsddv

C:\Users\Admin\AppData\Local\Temp\59ddabdcb5b43bbc66bbec89123d2627.exe
"C:\Users\Admin\AppData\Local\Temp\59ddabdcb5b43bbc66bbec89123d2627.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1744

C:\Users\Admin\AppData\Local\Temp\737B.exe
C:\Users\Admin\AppData\Local\Temp\737B.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\taskeng.exe
taskeng.exe {8461FC41-C527-4908-9731-A52508FA57FD} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Roaming\tfdsddv
C:\Users\Admin\AppData\Roaming\tfdsddv
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1580

C:\Windows\system32\taskeng.exe
taskeng.exe {D89E4194-B3C6-4A36-8A66-F6ECDFDA71C7} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Roaming\tfdsddv
C:\Users\Admin\AppData\Roaming\tfdsddv
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:812

C:\Windows\system32\taskeng.exe
taskeng.exe {FC2E4EB8-A27E-4124-8CAD-CC94CCD93C19} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Roaming\tfdsddv
C:\Users\Admin\AppData\Roaming\tfdsddv
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\737B.exe
MD5
ff310f5fef78dfc71a08c5daa7b53239

SHA1
105c6a71f3ccf1b4ee1da4c0be63bfc7129501ef

SHA256
bfd22901305c1bc449de085ea8a3b7b08644322ca3b9dcbf2e136e33ce174432

SHA512
1190a986a487a0d1dc9810577099bef116acb94ab89637c630edd2b092078a9f95ea6aee4d10397457d0d4d083095395f9b64fc43a5fb40a33e553b04d5aa568

Download Submit
C:\Users\Admin\AppData\Roaming\tfdsddv
MD5
59ddabdcb5b43bbc66bbec89123d2627

SHA1
6c33dde51d6b45319ad99408c10f6ad8b1340e2f

SHA256
2d0bd38ea59864cdcd710759abea3f670449eb4505b54c8a8d22128691deefc1

SHA512
56463528dc37c141519535140a24d0ce02ca2227ef8c302494e422109e5d6b83a5d6ac5f2b698838e29661cd9dd986d9a2dc0f7c3c4f025f5283cebca052b8b3

Download Submit
C:\Users\Admin\AppData\Roaming\tfdsddv
MD5
59ddabdcb5b43bbc66bbec89123d2627

SHA1
6c33dde51d6b45319ad99408c10f6ad8b1340e2f

SHA256
2d0bd38ea59864cdcd710759abea3f670449eb4505b54c8a8d22128691deefc1

SHA512
56463528dc37c141519535140a24d0ce02ca2227ef8c302494e422109e5d6b83a5d6ac5f2b698838e29661cd9dd986d9a2dc0f7c3c4f025f5283cebca052b8b3

Download Submit
C:\Users\Admin\AppData\Roaming\tfdsddv
MD5
59ddabdcb5b43bbc66bbec89123d2627

SHA1
6c33dde51d6b45319ad99408c10f6ad8b1340e2f

SHA256
2d0bd38ea59864cdcd710759abea3f670449eb4505b54c8a8d22128691deefc1

SHA512
56463528dc37c141519535140a24d0ce02ca2227ef8c302494e422109e5d6b83a5d6ac5f2b698838e29661cd9dd986d9a2dc0f7c3c4f025f5283cebca052b8b3

Download Submit
C:\Users\Admin\AppData\Roaming\tfdsddv
MD5
59ddabdcb5b43bbc66bbec89123d2627

SHA1
6c33dde51d6b45319ad99408c10f6ad8b1340e2f

SHA256
2d0bd38ea59864cdcd710759abea3f670449eb4505b54c8a8d22128691deefc1

SHA512
56463528dc37c141519535140a24d0ce02ca2227ef8c302494e422109e5d6b83a5d6ac5f2b698838e29661cd9dd986d9a2dc0f7c3c4f025f5283cebca052b8b3

Download Submit
memory/812-80-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/812-77-0x0000000000000000-mapping.dmp

Download
memory/1232-86-0x0000000003F20000-0x0000000003F36000-memory.dmp

Filesize
88KB

Download
memory/1232-81-0x00000000026C0000-0x00000000026D6000-memory.dmp

Filesize
88KB

Download
memory/1232-59-0x0000000002A40000-0x0000000002A56000-memory.dmp

Filesize
88KB

Download
memory/1232-76-0x0000000003F00000-0x0000000003F16000-memory.dmp

Filesize
88KB

Download
memory/1484-62-0x00000000008F8000-0x0000000000924000-memory.dmp

Filesize
176KB

Download
memory/1484-64-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1484-69-0x0000000002103000-0x0000000002104000-memory.dmp

Filesize
4KB

Download
memory/1484-68-0x0000000002102000-0x0000000002103000-memory.dmp

Filesize
4KB

Download
memory/1484-70-0x0000000002104000-0x0000000002106000-memory.dmp

Filesize
8KB

Download
memory/1484-66-0x0000000000640000-0x0000000000672000-memory.dmp

Filesize
200KB

Download
memory/1484-60-0x0000000000000000-mapping.dmp

Download
memory/1484-65-0x0000000000560000-0x0000000000594000-memory.dmp

Filesize
208KB

Download
memory/1484-63-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1484-67-0x0000000002101000-0x0000000002102000-memory.dmp

Filesize
4KB

Download
memory/1532-82-0x0000000000000000-mapping.dmp

Download
memory/1532-85-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/1580-75-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/1580-72-0x0000000000000000-mapping.dmp

Download
memory/1744-55-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1744-58-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/1744-57-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1744-56-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads