Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
22-09-2022 02:39
General
-
Target
2ab82bd451838c0923cd04892c5567f9e60d6f72e3bc5286c2374e4cd7d712f6.exe
-
Size
273KB
-
MD5
7743757c264cb5f69b6d44e78420298b
-
SHA1
26abfaeffce65842da7c60191d104f185b437193
-
SHA256
2ab82bd451838c0923cd04892c5567f9e60d6f72e3bc5286c2374e4cd7d712f6
-
SHA512
2db9ee5f2d93398926a7f7ba8a3884679913a88d6793fe4e669b5260f44176b31794e48a76766997ca9b910a5561cf28bf3d6f7008719d0e2cc9012b15e63871
-
SSDEEP
6144:z8jLVJSj0p4zi0iD320ARRW5migavwVfl:z8jLVkj0p4+bHARRW57i
Malware Config
Extracted
redline
LogsDiller Cloud (Sup: @mr_golds)
77.73.134.27:8163
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Signatures
-
Detects Smokeloader packer 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ab82bd451838c0923cd04892c5567f9e60d6f72e3bc5286c2374e4cd7d712f6.exe"C:\Users\Admin\AppData\Local\Temp\2ab82bd451838c0923cd04892c5567f9e60d6f72e3bc5286c2374e4cd7d712f6.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\sjthuugC:\Users\Admin\AppData\Roaming\sjthuug1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4C3B.exeC:\Users\Admin\AppData\Local\Temp\4C3B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4C3B.exeFilesize
2.6MB
MD50b9978d5b7c98f448f01a37add0d1cab
SHA17faccb84b6e5f026ae2c9a57c85f44ae17ae8cfa
SHA256dc2879d1ea852d721808045d04e9c98dca28623ace248eb2efdd84701255cd68
SHA512e24b09ee83b9a4a36ca5594f1c12e9015b7f9eeb103de1a6bbe82ad5d453282fe834d5d5190886df7e8814bccd8dca7ec4009965717b6b57716f0907d8298b7e
-
C:\Users\Admin\AppData\Local\Temp\4C3B.exeFilesize
2.6MB
MD50b9978d5b7c98f448f01a37add0d1cab
SHA17faccb84b6e5f026ae2c9a57c85f44ae17ae8cfa
SHA256dc2879d1ea852d721808045d04e9c98dca28623ace248eb2efdd84701255cd68
SHA512e24b09ee83b9a4a36ca5594f1c12e9015b7f9eeb103de1a6bbe82ad5d453282fe834d5d5190886df7e8814bccd8dca7ec4009965717b6b57716f0907d8298b7e
-
C:\Users\Admin\AppData\Roaming\sjthuugFilesize
273KB
MD57743757c264cb5f69b6d44e78420298b
SHA126abfaeffce65842da7c60191d104f185b437193
SHA2562ab82bd451838c0923cd04892c5567f9e60d6f72e3bc5286c2374e4cd7d712f6
SHA5122db9ee5f2d93398926a7f7ba8a3884679913a88d6793fe4e669b5260f44176b31794e48a76766997ca9b910a5561cf28bf3d6f7008719d0e2cc9012b15e63871
-
C:\Users\Admin\AppData\Roaming\sjthuugFilesize
273KB
MD57743757c264cb5f69b6d44e78420298b
SHA126abfaeffce65842da7c60191d104f185b437193
SHA2562ab82bd451838c0923cd04892c5567f9e60d6f72e3bc5286c2374e4cd7d712f6
SHA5122db9ee5f2d93398926a7f7ba8a3884679913a88d6793fe4e669b5260f44176b31794e48a76766997ca9b910a5561cf28bf3d6f7008719d0e2cc9012b15e63871
-
memory/868-138-0x0000000000000000-mapping.dmp
-
memory/1572-168-0x0000000000000000-mapping.dmp
-
memory/1572-192-0x0000000000C30000-0x0000000000C36000-memory.dmpFilesize
24KB
-
memory/1572-170-0x0000000000C20000-0x0000000000C2B000-memory.dmpFilesize
44KB
-
memory/1572-169-0x0000000000C30000-0x0000000000C36000-memory.dmpFilesize
24KB
-
memory/1940-178-0x000000000063D000-0x000000000064D000-memory.dmpFilesize
64KB
-
memory/1940-179-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1940-186-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/2816-173-0x0000000001280000-0x000000000128D000-memory.dmpFilesize
52KB
-
memory/2816-172-0x0000000001290000-0x0000000001297000-memory.dmpFilesize
28KB
-
memory/2816-171-0x0000000000000000-mapping.dmp
-
memory/2816-193-0x0000000001290000-0x0000000001297000-memory.dmpFilesize
28KB
-
memory/3656-175-0x0000000001320000-0x0000000001328000-memory.dmpFilesize
32KB
-
memory/3656-194-0x0000000001320000-0x0000000001328000-memory.dmpFilesize
32KB
-
memory/3656-176-0x0000000001310000-0x000000000131B000-memory.dmpFilesize
44KB
-
memory/3656-174-0x0000000000000000-mapping.dmp
-
memory/4580-177-0x0000000000390000-0x0000000000397000-memory.dmpFilesize
28KB
-
memory/4580-143-0x0000000000380000-0x000000000038B000-memory.dmpFilesize
44KB
-
memory/4580-142-0x0000000000390000-0x0000000000397000-memory.dmpFilesize
28KB
-
memory/4580-141-0x0000000000000000-mapping.dmp
-
memory/4588-132-0x000000000062D000-0x000000000063E000-memory.dmpFilesize
68KB
-
memory/4588-135-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/4588-134-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/4588-133-0x00000000005E0000-0x00000000005E9000-memory.dmpFilesize
36KB
-
memory/24096-146-0x00000000010B0000-0x00000000010BF000-memory.dmpFilesize
60KB
-
memory/24096-183-0x00000000010C0000-0x00000000010C9000-memory.dmpFilesize
36KB
-
memory/24096-144-0x0000000000000000-mapping.dmp
-
memory/24096-145-0x00000000010C0000-0x00000000010C9000-memory.dmpFilesize
36KB
-
memory/55552-148-0x0000000000560000-0x0000000000565000-memory.dmpFilesize
20KB
-
memory/55552-147-0x0000000000000000-mapping.dmp
-
memory/55552-184-0x0000000000560000-0x0000000000565000-memory.dmpFilesize
20KB
-
memory/55552-149-0x0000000000550000-0x0000000000559000-memory.dmpFilesize
36KB
-
memory/83012-152-0x0000000000DB0000-0x0000000000DBC000-memory.dmpFilesize
48KB
-
memory/83012-185-0x0000000000DC0000-0x0000000000DC6000-memory.dmpFilesize
24KB
-
memory/83012-150-0x0000000000000000-mapping.dmp
-
memory/83012-151-0x0000000000DC0000-0x0000000000DC6000-memory.dmpFilesize
24KB
-
memory/102316-181-0x00000000062E0000-0x0000000006372000-memory.dmpFilesize
584KB
-
memory/102316-153-0x0000000000000000-mapping.dmp
-
memory/102316-154-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/102316-166-0x00000000057C0000-0x00000000057FC000-memory.dmpFilesize
240KB
-
memory/102316-180-0x0000000006890000-0x0000000006E34000-memory.dmpFilesize
5.6MB
-
memory/102316-162-0x0000000005760000-0x0000000005772000-memory.dmpFilesize
72KB
-
memory/102316-182-0x0000000006380000-0x00000000063E6000-memory.dmpFilesize
408KB
-
memory/102316-191-0x0000000008020000-0x000000000854C000-memory.dmpFilesize
5.2MB
-
memory/102316-160-0x0000000005CC0000-0x00000000062D8000-memory.dmpFilesize
6.1MB
-
memory/102316-161-0x0000000005830000-0x000000000593A000-memory.dmpFilesize
1.0MB
-
memory/102316-190-0x0000000007410000-0x00000000075D2000-memory.dmpFilesize
1.8MB
-
memory/102316-187-0x00000000070C0000-0x0000000007136000-memory.dmpFilesize
472KB
-
memory/102316-188-0x0000000007040000-0x0000000007090000-memory.dmpFilesize
320KB
-
memory/102336-189-0x0000000001230000-0x0000000001235000-memory.dmpFilesize
20KB
-
memory/102336-165-0x0000000000000000-mapping.dmp
-
memory/102336-167-0x0000000001220000-0x0000000001229000-memory.dmpFilesize
36KB
-
memory/102368-164-0x0000000000A40000-0x0000000000A67000-memory.dmpFilesize
156KB
-
memory/102368-163-0x0000000000A70000-0x0000000000A92000-memory.dmpFilesize
136KB
-
memory/102368-159-0x0000000000000000-mapping.dmp