Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 15:45
General
-
Target
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe
-
Size
289KB
-
MD5
e18d00380ca446a2e8e9b6ba9f4bc10c
-
SHA1
c012d7c5a8374805c31cf3dd3bfe52af562e704c
-
SHA256
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b
-
SHA512
ae9738815e1d6673a4a6de2d97309a4c46235cfc038789e82d1a228353e6ddbcaeadd4523b7fbd4a732d19efed8d4235d87166640b3ef94a117801577bce1fee
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
redline
C2
45.32.171.34:42954
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies Internet Explorer settings 1 TTPs 12 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3796 -s 9162⤵
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe"C:\Users\Admin\AppData\Local\Temp\36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\A8FE.exeC:\Users\Admin\AppData\Local\Temp\A8FE.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BC19.exeC:\Users\Admin\AppData\Local\Temp\BC19.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3656 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A8FE.exeMD5
c1d7d3c37cb954a86b42287ca35986ec
SHA17b5ba6597b26fe3b0136e5cd0fbe8dc1060f96d0
SHA256f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc
SHA512b22a8e4f5b9b66660fa7fe42fcd06283c52b00384684b349959cf6580bd57895ddb57439e7527577d5635800da7e4c8ea3e84a3e2058aba6aef25f6b77e6e142
-
C:\Users\Admin\AppData\Local\Temp\A8FE.exeMD5
c1d7d3c37cb954a86b42287ca35986ec
SHA17b5ba6597b26fe3b0136e5cd0fbe8dc1060f96d0
SHA256f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc
SHA512b22a8e4f5b9b66660fa7fe42fcd06283c52b00384684b349959cf6580bd57895ddb57439e7527577d5635800da7e4c8ea3e84a3e2058aba6aef25f6b77e6e142
-
C:\Users\Admin\AppData\Local\Temp\BC19.exeMD5
a7e31a1a4ef916d45f6cea16f383605a
SHA121f3adb10382136b80e020d91979c57bbdc06595
SHA25678036f7fbb657ea16be0810cd7522f790d72dde3cd060f106d48d947addd5ffd
SHA51234d6781d76a058bfb44a451d48d3bd4cf1ba1f72c1d5218ec4a8963e289940242ce080513d171ab4fe9497c4071100a0f8489cee611677b676c12b3585a96b37
-
C:\Users\Admin\AppData\Local\Temp\BC19.exeMD5
a7e31a1a4ef916d45f6cea16f383605a
SHA121f3adb10382136b80e020d91979c57bbdc06595
SHA25678036f7fbb657ea16be0810cd7522f790d72dde3cd060f106d48d947addd5ffd
SHA51234d6781d76a058bfb44a451d48d3bd4cf1ba1f72c1d5218ec4a8963e289940242ce080513d171ab4fe9497c4071100a0f8489cee611677b676c12b3585a96b37
-
memory/736-116-0x0000000002CB0000-0x0000000002DFA000-memory.dmpFilesize
1.3MB
-
memory/736-117-0x0000000000400000-0x0000000002B7E000-memory.dmpFilesize
39.5MB
-
memory/736-115-0x0000000002CB0000-0x0000000002DFA000-memory.dmpFilesize
1.3MB
-
memory/960-172-0x00000000005E0000-0x00000000005ED000-memory.dmpFilesize
52KB
-
memory/960-171-0x00000000005F0000-0x00000000005F7000-memory.dmpFilesize
28KB
-
memory/1512-158-0x00000000007C0000-0x00000000007CC000-memory.dmpFilesize
48KB
-
memory/1536-164-0x0000000000E20000-0x0000000000E2E000-memory.dmpFilesize
56KB
-
memory/1536-163-0x0000000000E30000-0x0000000000E39000-memory.dmpFilesize
36KB
-
memory/1616-168-0x0000000000DC0000-0x0000000000DCC000-memory.dmpFilesize
48KB
-
memory/1616-167-0x0000000000DD0000-0x0000000000DD6000-memory.dmpFilesize
24KB
-
memory/1700-177-0x00000264DE470000-0x00000264DE471000-memory.dmpFilesize
4KB
-
memory/2192-130-0x0000000002210000-0x000000000224E000-memory.dmpFilesize
248KB
-
memory/2192-127-0x0000000001F80000-0x0000000001FC5000-memory.dmpFilesize
276KB
-
memory/2192-133-0x0000000004CF3000-0x0000000004CF4000-memory.dmpFilesize
4KB
-
memory/2192-134-0x0000000004D00000-0x00000000051FE000-memory.dmpFilesize
5.0MB
-
memory/2192-135-0x0000000002400000-0x000000000243A000-memory.dmpFilesize
232KB
-
memory/2192-136-0x0000000005200000-0x0000000005806000-memory.dmpFilesize
6.0MB
-
memory/2192-137-0x0000000004C10000-0x0000000004C22000-memory.dmpFilesize
72KB
-
memory/2192-138-0x0000000005810000-0x000000000591A000-memory.dmpFilesize
1.0MB
-
memory/2192-139-0x0000000004CF4000-0x0000000004CF6000-memory.dmpFilesize
8KB
-
memory/2192-140-0x0000000004C60000-0x0000000004C9E000-memory.dmpFilesize
248KB
-
memory/2192-132-0x0000000004CF2000-0x0000000004CF3000-memory.dmpFilesize
4KB
-
memory/2192-144-0x0000000005A20000-0x0000000005A6B000-memory.dmpFilesize
300KB
-
memory/2192-147-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/2192-148-0x0000000006230000-0x00000000062A6000-memory.dmpFilesize
472KB
-
memory/2192-149-0x00000000062F0000-0x0000000006382000-memory.dmpFilesize
584KB
-
memory/2192-150-0x0000000006510000-0x000000000652E000-memory.dmpFilesize
120KB
-
memory/2192-151-0x0000000006620000-0x00000000067E2000-memory.dmpFilesize
1.8MB
-
memory/2192-152-0x00000000067F0000-0x0000000006D1C000-memory.dmpFilesize
5.2MB
-
memory/2192-153-0x0000000007890000-0x00000000078E0000-memory.dmpFilesize
320KB
-
memory/2192-131-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/2192-129-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/2592-162-0x00000000001E0000-0x00000000001EB000-memory.dmpFilesize
44KB
-
memory/2592-161-0x00000000001F0000-0x00000000001F7000-memory.dmpFilesize
28KB
-
memory/2648-118-0x0000000000B40000-0x0000000000B56000-memory.dmpFilesize
88KB
-
memory/2648-128-0x0000000002460000-0x0000000002476000-memory.dmpFilesize
88KB
-
memory/2648-143-0x0000000002A20000-0x0000000002A2F000-memory.dmpFilesize
60KB
-
memory/2772-173-0x000002817CBD0000-0x000002817CBD1000-memory.dmpFilesize
4KB
-
memory/2804-169-0x0000000000450000-0x0000000000456000-memory.dmpFilesize
24KB
-
memory/2804-170-0x0000000000440000-0x000000000044B000-memory.dmpFilesize
44KB
-
memory/2816-174-0x000001BC70AF0000-0x000001BC70AF1000-memory.dmpFilesize
4KB
-
memory/2848-166-0x00000000008D0000-0x00000000008D9000-memory.dmpFilesize
36KB
-
memory/2848-165-0x00000000008E0000-0x00000000008E5000-memory.dmpFilesize
20KB
-
memory/2924-178-0x0000024858ED0000-0x0000024858ED1000-memory.dmpFilesize
4KB
-
memory/2924-175-0x0000024858B90000-0x0000024858B91000-memory.dmpFilesize
4KB
-
memory/3220-160-0x0000000003100000-0x000000000316B000-memory.dmpFilesize
428KB
-
memory/3220-159-0x0000000003170000-0x00000000031E5000-memory.dmpFilesize
468KB
-
memory/3528-176-0x0000020042D30000-0x0000020042D31000-memory.dmpFilesize
4KB
-
memory/4000-123-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/4000-121-0x0000000000700000-0x0000000000723000-memory.dmpFilesize
140KB
-
memory/4000-122-0x0000000000680000-0x0000000000689000-memory.dmpFilesize
36KB