Analysis
-
max time kernel
4294211s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
12-03-2022 20:57
Static task
static1
Behavioral task
behavioral1
Sample
0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe
Resource
win7-20220310-en
General
-
Target
0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe
-
Size
234KB
-
MD5
c84fc9842b288932a1c1cc8f1371ea21
-
SHA1
2e048768e866cb00596b3b6718956d0ff070f615
-
SHA256
0da6fa4b335e835322515d0a96c88d6a133349d57560f476821d90e2477ffbeb
-
SHA512
04eedd48ac09195da84eb9d7b7fb37a77f9ebc13cbb9f342a33e3d1e821536622ae90d3c29c2c76b68cb2076eea7f627e84b34a5fb4b5f6cd3924fa749be9a46
Malware Config
Extracted
smokeloader
2020
http://coralee.at/upload/
http://ducvietcao.com/upload/
http://biz-acc.ru/upload/
http://toimap.com/upload/
http://bbb7d.com/upload/
http://piratia-life.ru/upload/
http://curvreport.com/upload/
http://viagratos.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
Extracted
redline
ww
193.106.191.67:44400
-
auth_value
5a1b28ccd05953f5c3f99729c12427cc
Extracted
raccoon
ccba3157b9f42051adf38fbb8f5d0aca7f2b7366
-
url4cnc
http://185.163.204.81/nui8xtgen
http://194.180.191.33/nui8xtgen
http://174.138.11.98/nui8xtgen
http://194.180.191.44/nui8xtgen
http://91.219.236.120/nui8xtgen
https://t.me/nui8xtgen
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1292-105-0x0000000000320000-0x0000000000354000-memory.dmp family_redline behavioral1/memory/1292-113-0x0000000002130000-0x0000000002162000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
BF59.exeE4D4.exe192E.exerdbdrgipid process 1656 BF59.exe 1292 E4D4.exe 2040 192E.exe 1468 rdbdrgi -
Deletes itself 1 IoCs
Processes:
pid process 1192 -
Loads dropped DLL 7 IoCs
Processes:
WerFault.exepid process 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1188 976 WerFault.exe rundll32.exe 828 2040 WerFault.exe 192E.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rdbdrgi0da6fa4b335e835322515d0a96c88d6a133349d57560f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rdbdrgi Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rdbdrgi Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rdbdrgi Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0da6fa4b335e835322515d0a96c88d6a133349d57560f.exepid process 1752 0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe 1752 0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1192 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
0da6fa4b335e835322515d0a96c88d6a133349d57560f.exerdbdrgipid process 1752 0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe 1468 rdbdrgi -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
E4D4.exedescription pid process Token: SeShutdownPrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeDebugPrivilege 1292 E4D4.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1192 1192 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1192 1192 -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
BF59.exerundll32.exe192E.exetaskeng.exedescription pid process target process PID 1192 wrote to memory of 1656 1192 BF59.exe PID 1192 wrote to memory of 1656 1192 BF59.exe PID 1192 wrote to memory of 1656 1192 BF59.exe PID 1192 wrote to memory of 1656 1192 BF59.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1656 wrote to memory of 976 1656 BF59.exe rundll32.exe PID 1192 wrote to memory of 1292 1192 E4D4.exe PID 1192 wrote to memory of 1292 1192 E4D4.exe PID 1192 wrote to memory of 1292 1192 E4D4.exe PID 1192 wrote to memory of 1292 1192 E4D4.exe PID 976 wrote to memory of 1188 976 rundll32.exe WerFault.exe PID 976 wrote to memory of 1188 976 rundll32.exe WerFault.exe PID 976 wrote to memory of 1188 976 rundll32.exe WerFault.exe PID 976 wrote to memory of 1188 976 rundll32.exe WerFault.exe PID 1192 wrote to memory of 2040 1192 192E.exe PID 1192 wrote to memory of 2040 1192 192E.exe PID 1192 wrote to memory of 2040 1192 192E.exe PID 1192 wrote to memory of 2040 1192 192E.exe PID 2040 wrote to memory of 828 2040 192E.exe WerFault.exe PID 2040 wrote to memory of 828 2040 192E.exe WerFault.exe PID 2040 wrote to memory of 828 2040 192E.exe WerFault.exe PID 2040 wrote to memory of 828 2040 192E.exe WerFault.exe PID 2032 wrote to memory of 1468 2032 taskeng.exe rdbdrgi PID 2032 wrote to memory of 1468 2032 taskeng.exe rdbdrgi PID 2032 wrote to memory of 1468 2032 taskeng.exe rdbdrgi PID 2032 wrote to memory of 1468 2032 taskeng.exe rdbdrgi
Processes
-
C:\Users\Admin\AppData\Local\Temp\0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe"C:\Users\Admin\AppData\Local\Temp\0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BF59.exeC:\Users\Admin\AppData\Local\Temp\BF59.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 2803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\E4D4.exeC:\Users\Admin\AppData\Local\Temp\E4D4.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\192E.exeC:\Users\Admin\AppData\Local\Temp\192E.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 4162⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\taskeng.exetaskeng.exe {F724C85E-67F9-494D-98A0-2BD8ACE05599} S-1-5-21-2932610838-281738825-1127631353-1000:NXLKCZKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\rdbdrgiC:\Users\Admin\AppData\Roaming\rdbdrgi2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\192E.exeMD5
e86f1cd73f0be7895872a04dcdfb7766
SHA13b2b9441b33ad62ffd0482fb7809751d3b9bad2a
SHA256e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3
SHA5128b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab
-
C:\Users\Admin\AppData\Local\Temp\BF59.exeMD5
5db4e7f04bb163a1337f216ee2076568
SHA1d1f09aadd4d7583c18a5dbe889477179718de362
SHA25612cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a
SHA5122b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263
-
C:\Users\Admin\AppData\Local\Temp\E4D4.exeMD5
7d1e1e8f8d1712e01666a44a72c014bc
SHA1affc7539af503e63f704d6132b595033649c00ee
SHA256fe7eb31f333370fd0cfdb136ec609e73ec8a2bf23121bf0147bd91f85037f484
SHA512f470e316198cfbcc518592a543f9fc64ed8d9ca347bf7683265ae23fab123940db2e5d4aad8f9525f82aa17590c8c708f32a921f97048cdc0bffc16348be40c1
-
C:\Users\Admin\AppData\Roaming\rdbdrgiMD5
c84fc9842b288932a1c1cc8f1371ea21
SHA12e048768e866cb00596b3b6718956d0ff070f615
SHA2560da6fa4b335e835322515d0a96c88d6a133349d57560f476821d90e2477ffbeb
SHA51204eedd48ac09195da84eb9d7b7fb37a77f9ebc13cbb9f342a33e3d1e821536622ae90d3c29c2c76b68cb2076eea7f627e84b34a5fb4b5f6cd3924fa749be9a46
-
C:\Users\Admin\AppData\Roaming\rdbdrgiMD5
c84fc9842b288932a1c1cc8f1371ea21
SHA12e048768e866cb00596b3b6718956d0ff070f615
SHA2560da6fa4b335e835322515d0a96c88d6a133349d57560f476821d90e2477ffbeb
SHA51204eedd48ac09195da84eb9d7b7fb37a77f9ebc13cbb9f342a33e3d1e821536622ae90d3c29c2c76b68cb2076eea7f627e84b34a5fb4b5f6cd3924fa749be9a46
-
\Users\Admin\AppData\Local\Temp\192E.exeMD5
e86f1cd73f0be7895872a04dcdfb7766
SHA13b2b9441b33ad62ffd0482fb7809751d3b9bad2a
SHA256e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3
SHA5128b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab
-
\Users\Admin\AppData\Local\Temp\192E.exeMD5
e86f1cd73f0be7895872a04dcdfb7766
SHA13b2b9441b33ad62ffd0482fb7809751d3b9bad2a
SHA256e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3
SHA5128b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab
-
\Users\Admin\AppData\Local\Temp\192E.exeMD5
e86f1cd73f0be7895872a04dcdfb7766
SHA13b2b9441b33ad62ffd0482fb7809751d3b9bad2a
SHA256e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3
SHA5128b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab
-
\Users\Admin\AppData\Local\Temp\192E.exeMD5
e86f1cd73f0be7895872a04dcdfb7766
SHA13b2b9441b33ad62ffd0482fb7809751d3b9bad2a
SHA256e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3
SHA5128b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab
-
\Users\Admin\AppData\Local\Temp\192E.exeMD5
e86f1cd73f0be7895872a04dcdfb7766
SHA13b2b9441b33ad62ffd0482fb7809751d3b9bad2a
SHA256e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3
SHA5128b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab
-
\Users\Admin\AppData\Local\Temp\192E.exeMD5
e86f1cd73f0be7895872a04dcdfb7766
SHA13b2b9441b33ad62ffd0482fb7809751d3b9bad2a
SHA256e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3
SHA5128b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab
-
\Users\Admin\AppData\Local\Temp\192E.exeMD5
e86f1cd73f0be7895872a04dcdfb7766
SHA13b2b9441b33ad62ffd0482fb7809751d3b9bad2a
SHA256e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3
SHA5128b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab
-
memory/976-67-0x0000000000180000-0x0000000000184000-memory.dmpFilesize
16KB
-
memory/976-69-0x0000000000180000-0x0000000000184000-memory.dmpFilesize
16KB
-
memory/976-102-0x00000000764A0000-0x00000000765A0000-memory.dmpFilesize
1024KB
-
memory/1192-59-0x0000000002760000-0x0000000002776000-memory.dmpFilesize
88KB
-
memory/1192-129-0x0000000002140000-0x0000000002156000-memory.dmpFilesize
88KB
-
memory/1292-104-0x00000000048F1000-0x00000000048F2000-memory.dmpFilesize
4KB
-
memory/1292-97-0x000000000064E000-0x000000000067A000-memory.dmpFilesize
176KB
-
memory/1292-101-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1292-99-0x000000000064E000-0x000000000067A000-memory.dmpFilesize
176KB
-
memory/1292-103-0x0000000074990000-0x000000007507E000-memory.dmpFilesize
6.9MB
-
memory/1292-113-0x0000000002130000-0x0000000002162000-memory.dmpFilesize
200KB
-
memory/1292-105-0x0000000000320000-0x0000000000354000-memory.dmpFilesize
208KB
-
memory/1292-100-0x0000000000220000-0x0000000000259000-memory.dmpFilesize
228KB
-
memory/1292-122-0x00000000048F4000-0x00000000048F6000-memory.dmpFilesize
8KB
-
memory/1292-108-0x00000000048F2000-0x00000000048F3000-memory.dmpFilesize
4KB
-
memory/1292-109-0x00000000048F3000-0x00000000048F4000-memory.dmpFilesize
4KB
-
memory/1468-125-0x000000000026E000-0x0000000000277000-memory.dmpFilesize
36KB
-
memory/1468-127-0x000000000026E000-0x0000000000277000-memory.dmpFilesize
36KB
-
memory/1468-128-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1656-85-0x0000000077CD0000-0x0000000077E50000-memory.dmpFilesize
1.5MB
-
memory/1656-61-0x0000000001E50000-0x0000000001F2C000-memory.dmpFilesize
880KB
-
memory/1656-65-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/1656-64-0x0000000001F30000-0x000000000214D000-memory.dmpFilesize
2.1MB
-
memory/1656-63-0x0000000001E50000-0x0000000001F2C000-memory.dmpFilesize
880KB
-
memory/1656-62-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/1752-58-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1752-57-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1752-56-0x000000000051E000-0x0000000000527000-memory.dmpFilesize
36KB
-
memory/1752-54-0x000000000051E000-0x0000000000527000-memory.dmpFilesize
36KB
-
memory/1752-55-0x0000000076AE1000-0x0000000076AE3000-memory.dmpFilesize
8KB
-
memory/2040-114-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2040-112-0x0000000000720000-0x00000000007B2000-memory.dmpFilesize
584KB
-
memory/2040-111-0x000000000091E000-0x000000000096E000-memory.dmpFilesize
320KB
-
memory/2040-107-0x000000000091E000-0x000000000096E000-memory.dmpFilesize
320KB