redline | 8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306

Analysis

max time kernel
150s
max time network
143s
platform
windows10_x64
resource
win10-20220414-en
submitted
06-07-2022 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe
Size

292KB
MD5

726312fff5e118f803edccaef2207dfb
SHA1

eddac1a11ab1ca328cd4f7e9bdcc07ed4f1c82d3
SHA256

8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306
SHA512

2fc2f95ef16d9647fb0aff2e67ef5e511123facd631fff950ae1688a1f8348209dff8f8df8a36684cb07272d5924f0fd53a74eb5c3db11e32d72b0d91ab4dce2

Score

10^/10

redline ib1.4 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

ib1.4

levelcupsecurity.eu:80

Attributes

auth_value
363e918b58f663fdb3c6d525cf98d4b0

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

7B79.exeSmartClock.exeDC57.exe

pid process

2656 7B79.exe
4088 SmartClock.exe
1760 DC57.exe
Deletes itself 1 IoCs

Processes:

pid process

2116
Drops startup file 1 IoCs

Processes:

7B79.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 7B79.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2656	7B79.exe
4088	SmartClock.exe
1760	DC57.exe

pid	process
2116

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	7B79.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

4088 SmartClock.exe

pid	process
4088	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe

pid	process
1324	8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe
1324	8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2116
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe

pid process

1324 8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe

pid	process
2116

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

DC57.exe

description	pid	process
Token: SeDebugPrivilege	1760	DC57.exe
Token: SeShutdownPrivilege	2116
Token: SeCreatePagefilePrivilege	2116
Token: SeShutdownPrivilege	2116
Token: SeCreatePagefilePrivilege	2116

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7B79.exe

description	pid	process	target process
PID 2116 wrote to memory of 2656	2116		7B79.exe
PID 2116 wrote to memory of 2656	2116		7B79.exe
PID 2116 wrote to memory of 2656	2116		7B79.exe
PID 2656 wrote to memory of 4088	2656	7B79.exe	SmartClock.exe
PID 2656 wrote to memory of 4088	2656	7B79.exe	SmartClock.exe
PID 2656 wrote to memory of 4088	2656	7B79.exe	SmartClock.exe
PID 2116 wrote to memory of 1760	2116		DC57.exe
PID 2116 wrote to memory of 1760	2116		DC57.exe
PID 2116 wrote to memory of 1760	2116		DC57.exe

C:\Users\Admin\AppData\Local\Temp\8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe
"C:\Users\Admin\AppData\Local\Temp\8a46b3bd24b5955c64eccdfa866ed5ac7850e73f1745253493b05ecf8479f306.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1324

C:\Users\Admin\AppData\Local\Temp\7B79.exe
C:\Users\Admin\AppData\Local\Temp\7B79.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:4088

C:\Users\Admin\AppData\Local\Temp\DC57.exe
C:\Users\Admin\AppData\Local\Temp\DC57.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7B79.exe
Filesize
660KB

MD5
2f4d2be464aac2818dde039a20bd99b7

SHA1
baf9eec4b5c63217f2f3d5b09d92e34625639752

SHA256
199efb3ebd3284284140ce0d8cd3617f5a94a2fb6a32cc34235f7ec1a93fe7be

SHA512
b3f85dff9611359b1e9a2a57ab4333cd124a6ed23a2e29f8a307707b606e1e9fc7213e514c91c6afbdbbe1c7f9dca258b317a91c86f12fe3b0d1587c34c585d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B79.exe
Filesize
660KB

MD5
2f4d2be464aac2818dde039a20bd99b7

SHA1
baf9eec4b5c63217f2f3d5b09d92e34625639752

SHA256
199efb3ebd3284284140ce0d8cd3617f5a94a2fb6a32cc34235f7ec1a93fe7be

SHA512
b3f85dff9611359b1e9a2a57ab4333cd124a6ed23a2e29f8a307707b606e1e9fc7213e514c91c6afbdbbe1c7f9dca258b317a91c86f12fe3b0d1587c34c585d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC57.exe
Filesize
396KB

MD5
4e4039f9fe484f8f33db7cf2e045d463

SHA1
d0573786cfbb933b0078465fed025554574caa7b

SHA256
bacfe9391d4efdcbb243c69356cdde0de5c420413ad9917ffe90de7d0493cc2b

SHA512
2c8c68bd7e2ef3c47b0a9590c094d07efb42dcef4aa04710c25612697dffee00fceb21295f6fdfe30e6ee025895954df6771d45d7cd1f9e690794b70a4debbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC57.exe
Filesize
396KB

MD5
4e4039f9fe484f8f33db7cf2e045d463

SHA1
d0573786cfbb933b0078465fed025554574caa7b

SHA256
bacfe9391d4efdcbb243c69356cdde0de5c420413ad9917ffe90de7d0493cc2b

SHA512
2c8c68bd7e2ef3c47b0a9590c094d07efb42dcef4aa04710c25612697dffee00fceb21295f6fdfe30e6ee025895954df6771d45d7cd1f9e690794b70a4debbe5

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
Filesize
660KB

MD5
2f4d2be464aac2818dde039a20bd99b7

SHA1
baf9eec4b5c63217f2f3d5b09d92e34625639752

SHA256
199efb3ebd3284284140ce0d8cd3617f5a94a2fb6a32cc34235f7ec1a93fe7be

SHA512
b3f85dff9611359b1e9a2a57ab4333cd124a6ed23a2e29f8a307707b606e1e9fc7213e514c91c6afbdbbe1c7f9dca258b317a91c86f12fe3b0d1587c34c585d4

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
Filesize
660KB

MD5
2f4d2be464aac2818dde039a20bd99b7

SHA1
baf9eec4b5c63217f2f3d5b09d92e34625639752

SHA256
199efb3ebd3284284140ce0d8cd3617f5a94a2fb6a32cc34235f7ec1a93fe7be

SHA512
b3f85dff9611359b1e9a2a57ab4333cd124a6ed23a2e29f8a307707b606e1e9fc7213e514c91c6afbdbbe1c7f9dca258b317a91c86f12fe3b0d1587c34c585d4

Download Submit
memory/1324-148-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-125-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-150-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-124-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-151-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-126-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-127-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-128-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-129-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-131-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-130-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-132-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-133-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-135-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-136-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-137-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-138-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-139-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-140-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-141-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-143-0x0000000000A80000-0x0000000000B2E000-memory.dmp

Filesize
696KB

Download
memory/1324-144-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-145-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/1324-142-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-152-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-147-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/1324-121-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-149-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-123-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-122-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-146-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-153-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-154-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-155-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-156-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/1324-119-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1324-120-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/1760-372-0x00000000075F0000-0x0000000007B1C000-memory.dmp

Filesize
5.2MB

Download
memory/1760-361-0x0000000006EC0000-0x0000000006F26000-memory.dmp

Filesize
408KB

Download
memory/1760-375-0x0000000000B90000-0x0000000000CDA000-memory.dmp

Filesize
1.3MB

Download
memory/1760-320-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/1760-356-0x0000000006B80000-0x0000000006BF6000-memory.dmp

Filesize
472KB

Download
memory/1760-360-0x0000000006D40000-0x0000000006D5E000-memory.dmp

Filesize
120KB

Download
memory/1760-357-0x0000000006C40000-0x0000000006CD2000-memory.dmp

Filesize
584KB

Download
memory/1760-321-0x0000000005C90000-0x0000000005D9A000-memory.dmp

Filesize
1.0MB

Download
memory/1760-332-0x0000000005E30000-0x0000000005E7B000-memory.dmp

Filesize
300KB

Download
memory/1760-254-0x0000000000000000-mapping.dmp

Download
memory/1760-371-0x0000000007410000-0x00000000075D2000-memory.dmp

Filesize
1.8MB

Download
memory/1760-324-0x0000000005DC0000-0x0000000005DFE000-memory.dmp

Filesize
248KB

Download
memory/1760-369-0x0000000007140000-0x0000000007190000-memory.dmp

Filesize
320KB

Download
memory/1760-319-0x0000000005670000-0x0000000005C76000-memory.dmp

Filesize
6.0MB

Download
memory/1760-308-0x0000000002AE0000-0x0000000002B10000-memory.dmp

Filesize
192KB

Download
memory/1760-306-0x0000000005170000-0x000000000566E000-memory.dmp

Filesize
5.0MB

Download
memory/1760-301-0x0000000002930000-0x0000000002960000-memory.dmp

Filesize
192KB

Download
memory/1760-294-0x0000000000400000-0x0000000000A94000-memory.dmp

Filesize
6.6MB

Download
memory/1760-291-0x0000000002690000-0x00000000026C8000-memory.dmp

Filesize
224KB

Download
memory/1760-290-0x0000000000B90000-0x0000000000CDA000-memory.dmp

Filesize
1.3MB

Download
memory/1760-380-0x0000000000400000-0x0000000000A94000-memory.dmp

Filesize
6.6MB

Download
memory/2656-169-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-179-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-183-0x00000000005BA000-0x000000000063A000-memory.dmp

Filesize
512KB

Download
memory/2656-184-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-185-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-186-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-187-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-188-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-189-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-190-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-195-0x00000000020C0000-0x0000000002151000-memory.dmp

Filesize
580KB

Download
memory/2656-194-0x00000000004B0000-0x00000000005FA000-memory.dmp

Filesize
1.3MB

Download
memory/2656-212-0x00000000020C0000-0x0000000002151000-memory.dmp

Filesize
580KB

Download
memory/2656-214-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2656-157-0x0000000000000000-mapping.dmp

Download
memory/2656-159-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-160-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-181-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-180-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-182-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-178-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-177-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-176-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-175-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-174-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-173-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-172-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-171-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-170-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-168-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-167-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-165-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-164-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-163-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-161-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-162-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4088-252-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4088-251-0x00000000004B0000-0x000000000055E000-memory.dmp

Filesize
696KB

Download
memory/4088-207-0x0000000000000000-mapping.dmp

Download
memory/4088-253-0x00000000004B0000-0x000000000055E000-memory.dmp

Filesize
696KB

Download