Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
22-09-2022 03:51
General
-
Target
8d84fbaf04aa367f5b193fec39e6c846.exe
-
Size
274KB
-
MD5
8d84fbaf04aa367f5b193fec39e6c846
-
SHA1
51e674d175baa2f0dcc70e52642d5a1accec2dfc
-
SHA256
11212a25a03d681bfb1a7b537b8e066c09d506a30728bd377d47480d8274847a
-
SHA512
43e73a0c1a533d42f76d31d6b6763e5d9523f65add668b75a34cc7ebb82ccd3ae41688ab5d6478c8213dda108143b31fb2be31317e060c1790e8681cfa019b10
-
SSDEEP
3072:e85Xy/AkR0X6iYF5I8CS9SodNY8KYq8TX8FVL9g0Ky046SsxkgaBChEpZa9uD6V0:e4yxARZS9LdNoACh9g0XaigavwVfs
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
LogsDiller Cloud (Sup: @mr_golds)
C2
77.73.134.27:8163
Attributes
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d84fbaf04aa367f5b193fec39e6c846.exe"C:\Users\Admin\AppData\Local\Temp\8d84fbaf04aa367f5b193fec39e6c846.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1993.exeC:\Users\Admin\AppData\Local\Temp\1993.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1993.exeFilesize
2.6MB
MD50b9978d5b7c98f448f01a37add0d1cab
SHA17faccb84b6e5f026ae2c9a57c85f44ae17ae8cfa
SHA256dc2879d1ea852d721808045d04e9c98dca28623ace248eb2efdd84701255cd68
SHA512e24b09ee83b9a4a36ca5594f1c12e9015b7f9eeb103de1a6bbe82ad5d453282fe834d5d5190886df7e8814bccd8dca7ec4009965717b6b57716f0907d8298b7e
-
C:\Users\Admin\AppData\Local\Temp\1993.exeFilesize
2.6MB
MD50b9978d5b7c98f448f01a37add0d1cab
SHA17faccb84b6e5f026ae2c9a57c85f44ae17ae8cfa
SHA256dc2879d1ea852d721808045d04e9c98dca28623ace248eb2efdd84701255cd68
SHA512e24b09ee83b9a4a36ca5594f1c12e9015b7f9eeb103de1a6bbe82ad5d453282fe834d5d5190886df7e8814bccd8dca7ec4009965717b6b57716f0907d8298b7e
-
memory/1296-135-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1296-134-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/1296-133-0x00000000006E0000-0x00000000006E9000-memory.dmpFilesize
36KB
-
memory/1296-132-0x000000000070D000-0x000000000071E000-memory.dmpFilesize
68KB
-
memory/4880-136-0x0000000000000000-mapping.dmp
-
memory/23968-139-0x0000000000000000-mapping.dmp
-
memory/23968-140-0x0000000000550000-0x0000000000557000-memory.dmpFilesize
28KB
-
memory/23968-141-0x0000000000540000-0x000000000054B000-memory.dmpFilesize
44KB
-
memory/23968-179-0x0000000000550000-0x0000000000557000-memory.dmpFilesize
28KB
-
memory/83644-150-0x0000000000CC0000-0x0000000000CCF000-memory.dmpFilesize
60KB
-
memory/83644-142-0x0000000000000000-mapping.dmp
-
memory/83644-149-0x0000000000CD0000-0x0000000000CD9000-memory.dmpFilesize
36KB
-
memory/102008-152-0x0000000005040000-0x0000000005658000-memory.dmpFilesize
6.1MB
-
memory/102008-181-0x0000000007140000-0x0000000007302000-memory.dmpFilesize
1.8MB
-
memory/102008-175-0x0000000004E10000-0x0000000004E76000-memory.dmpFilesize
408KB
-
memory/102008-153-0x0000000004B70000-0x0000000004C7A000-memory.dmpFilesize
1.0MB
-
memory/102008-154-0x0000000004AA0000-0x0000000004AB2000-memory.dmpFilesize
72KB
-
memory/102008-155-0x0000000004B30000-0x0000000004B6C000-memory.dmpFilesize
240KB
-
memory/102008-177-0x0000000005F10000-0x00000000064B4000-memory.dmpFilesize
5.6MB
-
memory/102008-178-0x0000000005A00000-0x0000000005A92000-memory.dmpFilesize
584KB
-
memory/102008-143-0x0000000000000000-mapping.dmp
-
memory/102008-183-0x0000000007840000-0x0000000007D6C000-memory.dmpFilesize
5.2MB
-
memory/102008-184-0x00000000065C0000-0x0000000006636000-memory.dmpFilesize
472KB
-
memory/102008-186-0x0000000005EB0000-0x0000000005F00000-memory.dmpFilesize
320KB
-
memory/102008-144-0x0000000000190000-0x00000000001B8000-memory.dmpFilesize
160KB
-
memory/102068-151-0x0000000000000000-mapping.dmp
-
memory/102068-180-0x00000000008A0000-0x00000000008A5000-memory.dmpFilesize
20KB
-
memory/102068-157-0x0000000000890000-0x0000000000899000-memory.dmpFilesize
36KB
-
memory/102068-156-0x00000000008A0000-0x00000000008A5000-memory.dmpFilesize
20KB
-
memory/102112-160-0x0000000000F20000-0x0000000000F2C000-memory.dmpFilesize
48KB
-
memory/102112-159-0x0000000000F30000-0x0000000000F36000-memory.dmpFilesize
24KB
-
memory/102112-182-0x0000000000F30000-0x0000000000F36000-memory.dmpFilesize
24KB
-
memory/102112-158-0x0000000000000000-mapping.dmp
-
memory/102140-162-0x00000000010B0000-0x00000000010D2000-memory.dmpFilesize
136KB
-
memory/102140-163-0x0000000001080000-0x00000000010A7000-memory.dmpFilesize
156KB
-
memory/102140-185-0x00000000010B0000-0x00000000010D2000-memory.dmpFilesize
136KB
-
memory/102140-161-0x0000000000000000-mapping.dmp
-
memory/102164-164-0x0000000000000000-mapping.dmp
-
memory/102164-167-0x0000000000440000-0x0000000000449000-memory.dmpFilesize
36KB
-
memory/102164-187-0x0000000000450000-0x0000000000455000-memory.dmpFilesize
20KB
-
memory/102164-166-0x0000000000450000-0x0000000000455000-memory.dmpFilesize
20KB
-
memory/102188-165-0x0000000000000000-mapping.dmp
-
memory/102188-168-0x0000000001080000-0x000000000108B000-memory.dmpFilesize
44KB
-
memory/102188-170-0x0000000001090000-0x0000000001096000-memory.dmpFilesize
24KB
-
memory/102188-188-0x0000000001090000-0x0000000001096000-memory.dmpFilesize
24KB
-
memory/102220-169-0x0000000000000000-mapping.dmp
-
memory/102220-171-0x0000000000AC0000-0x0000000000ACD000-memory.dmpFilesize
52KB
-
memory/102220-173-0x0000000000AD0000-0x0000000000AD7000-memory.dmpFilesize
28KB
-
memory/102220-189-0x0000000000AD0000-0x0000000000AD7000-memory.dmpFilesize
28KB
-
memory/102248-176-0x00000000008F0000-0x00000000008F8000-memory.dmpFilesize
32KB
-
memory/102248-172-0x0000000000000000-mapping.dmp
-
memory/102248-174-0x00000000008E0000-0x00000000008EB000-memory.dmpFilesize
44KB
-
memory/102248-190-0x00000000008F0000-0x00000000008F8000-memory.dmpFilesize
32KB