Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
19/09/2022, 19:39
General
-
Target
1f63d7b1fc905bcef2d468fd52e37515d568fbd0d9656c62cd9eda173f21f4e4.exe
-
Size
275KB
-
MD5
e5ad0581866dbb7f3f3da091adfb722e
-
SHA1
2a4afa15b8589c7af2993188e67b6e4dec70c287
-
SHA256
1f63d7b1fc905bcef2d468fd52e37515d568fbd0d9656c62cd9eda173f21f4e4
-
SHA512
4c7c58df3321e3ce62992c51166d07bfca86b871c9e338398d62da21fbfa2380cd70e6de6e9800d496bfe6227efecf5b6912765f5a33a0ef6c0a7c73f6e2f9b4
-
SSDEEP
6144:cLU496hd7Y8wA+lXp58Z0WGigavwVfDd:cLUaC5YhzL5R+q
Malware Config
Extracted
redline
new
194.87.71.159:19532
-
auth_value
0889ae494d48e4325078e3f599f31af1
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f63d7b1fc905bcef2d468fd52e37515d568fbd0d9656c62cd9eda173f21f4e4.exe"C:\Users\Admin\AppData\Local\Temp\1f63d7b1fc905bcef2d468fd52e37515d568fbd0d9656c62cd9eda173f21f4e4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2328.exeC:\Users\Admin\AppData\Local\Temp\2328.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3818.exeC:\Users\Admin\AppData\Local\Temp\3818.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\49DC.exeC:\Users\Admin\AppData\Local\Temp\49DC.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\52D6.exeC:\Users\Admin\AppData\Local\Temp\52D6.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5469c76d211c13283d45442738859eea3
SHA1dc3f6ca93494bb1a6dad504eb0c5820fbebb98f3
SHA256c02b96bae23dd7e5b2ff48ddecb2b8d1928949bda903d743be350e34bbd59f28
SHA51295b54458d031099b1d9cc1d7f84fb9cc7e17faed99170297ef1200467c4e98dd8e53175d8c7a25fdc81b2377c3bfd76099b5f7bc54bef2de1addc6a1dc7012b4
-
Filesize
251KB
MD5469c76d211c13283d45442738859eea3
SHA1dc3f6ca93494bb1a6dad504eb0c5820fbebb98f3
SHA256c02b96bae23dd7e5b2ff48ddecb2b8d1928949bda903d743be350e34bbd59f28
SHA51295b54458d031099b1d9cc1d7f84fb9cc7e17faed99170297ef1200467c4e98dd8e53175d8c7a25fdc81b2377c3bfd76099b5f7bc54bef2de1addc6a1dc7012b4
-
Filesize
401KB
MD5a21ccfe36b1414d23d57156562026aae
SHA19e89ee7eeeb00fe91125e2dd34a7f2ba7a13f46d
SHA25617dbc0fd6bd02f2573e28f6221386eb0338f2249ae9ab6ec64275a42d3b6ee20
SHA51251d02ebb7dea80c2cf0d4b840b54939bc21323a6a92485e7b9fa194b1ecc94a68672508d248353d3691837842441551fbb139149ea25d4886870a27e70ef73b6
-
Filesize
401KB
MD5a21ccfe36b1414d23d57156562026aae
SHA19e89ee7eeeb00fe91125e2dd34a7f2ba7a13f46d
SHA25617dbc0fd6bd02f2573e28f6221386eb0338f2249ae9ab6ec64275a42d3b6ee20
SHA51251d02ebb7dea80c2cf0d4b840b54939bc21323a6a92485e7b9fa194b1ecc94a68672508d248353d3691837842441551fbb139149ea25d4886870a27e70ef73b6
-
Filesize
4.2MB
MD55a3945677d9afd7c897620dc8931e898
SHA12c4c5cd92290bfbb315f9bb27e8939fd54cfb6c9
SHA256791367c5c2c6be67f3412210910f878ceb63e73911f69030b54b9d1aad432faa
SHA512104aab7f41af2a3aa5288f1bd68fde8b9c7af49c83284c3c39c4a9fd0df61f528266011546596e095c1e1008cc03891d2c87810fdbb54317800cff3b397e1f39
-
Filesize
4.2MB
MD55a3945677d9afd7c897620dc8931e898
SHA12c4c5cd92290bfbb315f9bb27e8939fd54cfb6c9
SHA256791367c5c2c6be67f3412210910f878ceb63e73911f69030b54b9d1aad432faa
SHA512104aab7f41af2a3aa5288f1bd68fde8b9c7af49c83284c3c39c4a9fd0df61f528266011546596e095c1e1008cc03891d2c87810fdbb54317800cff3b397e1f39
-
Filesize
404KB
MD5010bc686dac9437227a1c13e07265478
SHA1bb7ad3ac63b9ccb6eb5acbb2fd649fb85a609077
SHA2569d26021786c8208ba6b71079443dfbae296ab4246b24c21cd6e59b13d226cc83
SHA51214a9fdffe30e4282b71b3afd3458a5d7e65fd54aee00d581f8f5be6f1666875bff97f2f0986ad196e66b451337d73372c150a0f15e63ffbcc98224a5b3eae43b
-
Filesize
404KB
MD5010bc686dac9437227a1c13e07265478
SHA1bb7ad3ac63b9ccb6eb5acbb2fd649fb85a609077
SHA2569d26021786c8208ba6b71079443dfbae296ab4246b24c21cd6e59b13d226cc83
SHA51214a9fdffe30e4282b71b3afd3458a5d7e65fd54aee00d581f8f5be6f1666875bff97f2f0986ad196e66b451337d73372c150a0f15e63ffbcc98224a5b3eae43b
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
1.6MB
-
Filesize
292KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
292KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
1.3MB
-
Filesize
248KB
-
Filesize
1.0MB
-
Filesize
472KB
-
Filesize
1.3MB
-
Filesize
408KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
300KB
-
Filesize
424KB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
248KB
-
Filesize
5.2MB
-
Filesize
5.0MB
-
Filesize
240KB
-
Filesize
584KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
72KB
-
Filesize
6.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB