Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
16/09/2022, 16:09
General
-
Target
0d49e0aa22dcd18bb09a175de65764c2667a8524fca4d8138439bad28dcc5b18.exe
-
Size
301KB
-
MD5
3d3f636b69be16bbc9b2050c0a248852
-
SHA1
63741ebe6b98d66228a7caa92fd216b7541fbd34
-
SHA256
0d49e0aa22dcd18bb09a175de65764c2667a8524fca4d8138439bad28dcc5b18
-
SHA512
ae2498e579e8f7298eb15c0a2446f76583a1b7fa604dbea8c48a7544c612a92547350bd06bfbd126c1ef541030572fb39845ab5a75a08fe7c8f20e02298294d8
-
SSDEEP
6144:x4+XRD5SjsiEvxAU3ZL7vZ0w+zJ3qSnigabwVf:xhXRD5S9EJAcZL7CVJi
Malware Config
Extracted
redline
noviy
157.90.19.174:23447
-
auth_value
9a329af57ce39a0a4f8e36dbf6cd6106
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d49e0aa22dcd18bb09a175de65764c2667a8524fca4d8138439bad28dcc5b18.exe"C:\Users\Admin\AppData\Local\Temp\0d49e0aa22dcd18bb09a175de65764c2667a8524fca4d8138439bad28dcc5b18.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1443.exeC:\Users\Admin\AppData\Local\Temp\1443.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD508526f07fa77843beeb50cd6c0b1d162
SHA1d191538ec7ab103ce8a63021d7eed6483d04bf8a
SHA256d6aab8f76af757fb50a6cf789163f7812c6eb762e5da3bd0927368ef9393c4c8
SHA512cb91da1b4a2f5a58a815fe2355220ec8532bd48e6c45bcecee46b6e6ef1ec1b7e10b0a40ce3bd6f7021b8935ea44aeb478b43c4a99006a31d33331abf60c6024
-
Filesize
396KB
MD508526f07fa77843beeb50cd6c0b1d162
SHA1d191538ec7ab103ce8a63021d7eed6483d04bf8a
SHA256d6aab8f76af757fb50a6cf789163f7812c6eb762e5da3bd0927368ef9393c4c8
SHA512cb91da1b4a2f5a58a815fe2355220ec8532bd48e6c45bcecee46b6e6ef1ec1b7e10b0a40ce3bd6f7021b8935ea44aeb478b43c4a99006a31d33331abf60c6024
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
696KB
-
Filesize
1.6MB
-
Filesize
320KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
320KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
72KB
-
Filesize
6.0MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
5.2MB
-
Filesize
1.6MB
-
Filesize
408KB
-
Filesize
1.6MB
-
Filesize
248KB
-
Filesize
696KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
240KB
-
Filesize
420KB
-
Filesize
1.0MB
-
Filesize
1.8MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
696KB
-
Filesize
248KB
-
Filesize
584KB
-
Filesize
1.6MB
-
Filesize
420KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
248KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
28KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB