redline | 932536b82f2cfdf2cc26698715b96844cf597170d7110ae80674122a9a647891

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2022 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

198KB
MD5

9d33aced5a2ee1a182f95a804cc33f36
SHA1

6d086a4abd9ffe8ff5e48dc64b4e7dbddcac30b1
SHA256

932536b82f2cfdf2cc26698715b96844cf597170d7110ae80674122a9a647891
SHA512

6ea26f547a5470cd5300f92f6c71e43c3d0adc7855dc4ef45631f0745471b616cdee4126ffe79acd12720d3d3afabd450df43691dfeb6c2ef011d7cf0196f847
SSDEEP

1536:jrae78zjORCDGwfdCSog01313Ns5gRC5gGm+qc:JahKyd2n3165+UHh

Score

10^/10

redline smokeloader nigh backdoor discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

Nigh

80.66.87.20:80

Attributes

auth_value
dab8506635d1dc134af4ebaedf4404eb

Signatures

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2908-171-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/2908-173-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/2908-174-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3120-155-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 5 IoCs

Processes:

attribstuneov.exeFwtadctsvykyvftnorspecialist_1s.exeattribstuneov.exeattribstuneov.exeFwtadctsvykyvftnorspecialist_1s.exe

pid	process
3616	attribstuneov.exe
5004	Fwtadctsvykyvftnorspecialist_1s.exe
3108	attribstuneov.exe
3120	attribstuneov.exe
2908	Fwtadctsvykyvftnorspecialist_1s.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

attribstuneov.exeFwtadctsvykyvftnorspecialist_1s.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	attribstuneov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Fwtadctsvykyvftnorspecialist_1s.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	file.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

attribstuneov.exeFwtadctsvykyvftnorspecialist_1s.exe

description	pid	process	target process
PID 3616 set thread context of 3120	3616	attribstuneov.exe	attribstuneov.exe
PID 5004 set thread context of 2908	5004	Fwtadctsvykyvftnorspecialist_1s.exe	Fwtadctsvykyvftnorspecialist_1s.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Fwtadctsvykyvftnorspecialist_1s.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fwtadctsvykyvftnorspecialist_1s.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fwtadctsvykyvftnorspecialist_1s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fwtadctsvykyvftnorspecialist_1s.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeattribstuneov.exepowershell.exeattribstuneov.exeFwtadctsvykyvftnorspecialist_1s.exe

pid	process
4364	powershell.exe
4364	powershell.exe
3616	attribstuneov.exe
3616	attribstuneov.exe
1588	powershell.exe
1588	powershell.exe
3120	attribstuneov.exe
3120	attribstuneov.exe
2908	Fwtadctsvykyvftnorspecialist_1s.exe
2908	Fwtadctsvykyvftnorspecialist_1s.exe
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Fwtadctsvykyvftnorspecialist_1s.exe

pid process

2908 Fwtadctsvykyvftnorspecialist_1s.exe

pid	process
2908	Fwtadctsvykyvftnorspecialist_1s.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

attribstuneov.exepowershell.exeFwtadctsvykyvftnorspecialist_1s.exeattribstuneov.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3616	attribstuneov.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	5004	Fwtadctsvykyvftnorspecialist_1s.exe
Token: SeDebugPrivilege	3120	attribstuneov.exe
Token: SeDebugPrivilege	1588	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

file.exeattribstuneov.exeFwtadctsvykyvftnorspecialist_1s.exe

description	pid	process	target process
PID 5076 wrote to memory of 3616	5076	file.exe	attribstuneov.exe
PID 5076 wrote to memory of 3616	5076	file.exe	attribstuneov.exe
PID 5076 wrote to memory of 3616	5076	file.exe	attribstuneov.exe
PID 3616 wrote to memory of 4364	3616	attribstuneov.exe	powershell.exe
PID 3616 wrote to memory of 4364	3616	attribstuneov.exe	powershell.exe
PID 3616 wrote to memory of 4364	3616	attribstuneov.exe	powershell.exe
PID 3616 wrote to memory of 5004	3616	attribstuneov.exe	Fwtadctsvykyvftnorspecialist_1s.exe
PID 3616 wrote to memory of 5004	3616	attribstuneov.exe	Fwtadctsvykyvftnorspecialist_1s.exe
PID 3616 wrote to memory of 5004	3616	attribstuneov.exe	Fwtadctsvykyvftnorspecialist_1s.exe
PID 3616 wrote to memory of 3108	3616	attribstuneov.exe	attribstuneov.exe
PID 3616 wrote to memory of 3108	3616	attribstuneov.exe	attribstuneov.exe
PID 3616 wrote to memory of 3108	3616	attribstuneov.exe	attribstuneov.exe
PID 3616 wrote to memory of 3120	3616	attribstuneov.exe	attribstuneov.exe
PID 3616 wrote to memory of 3120	3616	attribstuneov.exe	attribstuneov.exe
PID 3616 wrote to memory of 3120	3616	attribstuneov.exe	attribstuneov.exe
PID 3616 wrote to memory of 3120	3616	attribstuneov.exe	attribstuneov.exe
PID 3616 wrote to memory of 3120	3616	attribstuneov.exe	attribstuneov.exe
PID 3616 wrote to memory of 3120	3616	attribstuneov.exe	attribstuneov.exe
PID 3616 wrote to memory of 3120	3616	attribstuneov.exe	attribstuneov.exe
PID 3616 wrote to memory of 3120	3616	attribstuneov.exe	attribstuneov.exe
PID 5004 wrote to memory of 1588	5004	Fwtadctsvykyvftnorspecialist_1s.exe	powershell.exe
PID 5004 wrote to memory of 1588	5004	Fwtadctsvykyvftnorspecialist_1s.exe	powershell.exe
PID 5004 wrote to memory of 1588	5004	Fwtadctsvykyvftnorspecialist_1s.exe	powershell.exe
PID 5004 wrote to memory of 2908	5004	Fwtadctsvykyvftnorspecialist_1s.exe	Fwtadctsvykyvftnorspecialist_1s.exe
PID 5004 wrote to memory of 2908	5004	Fwtadctsvykyvftnorspecialist_1s.exe	Fwtadctsvykyvftnorspecialist_1s.exe
PID 5004 wrote to memory of 2908	5004	Fwtadctsvykyvftnorspecialist_1s.exe	Fwtadctsvykyvftnorspecialist_1s.exe
PID 5004 wrote to memory of 2908	5004	Fwtadctsvykyvftnorspecialist_1s.exe	Fwtadctsvykyvftnorspecialist_1s.exe
PID 5004 wrote to memory of 2908	5004	Fwtadctsvykyvftnorspecialist_1s.exe	Fwtadctsvykyvftnorspecialist_1s.exe
PID 5004 wrote to memory of 2908	5004	Fwtadctsvykyvftnorspecialist_1s.exe	Fwtadctsvykyvftnorspecialist_1s.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\attribstuneov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\attribstuneov.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Users\Admin\AppData\Local\Temp\Fwtadctsvykyvftnorspecialist_1s.exe
"C:\Users\Admin\AppData\Local\Temp\Fwtadctsvykyvftnorspecialist_1s.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\Fwtadctsvykyvftnorspecialist_1s.exe
C:\Users\Admin\AppData\Local\Temp\Fwtadctsvykyvftnorspecialist_1s.exe
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\attribstuneov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\attribstuneov.exe
3⤵
- Executes dropped EXE
PID:3108

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\attribstuneov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\attribstuneov.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\attribstuneov.exe.log
Filesize
1KB

MD5
4f3fab3e5f44399e7f4162fd367eca2d

SHA1
adada0591db5f53bcc0565942047156de3464e6e

SHA256
5db52f2a6a0fbfaa29e27418a1b72b660298dfa58a12ac0f12897a06e557caef

SHA512
d8c3fe3a91e572627e31a44d88a71fc3072786b074d04484ff6aacfeab43e0d29ec88bf6ad2af2a5f8e70f0c0eea95dcea59a8159adf4c642e5f8fd5fc632db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
86b8b3bbce6e6c07560380e25883f5b2

SHA1
065c45239d3449df044169bcab11e32a7f9b98a6

SHA256
0b7c40325d0da72f0861d24c19d773ceadd43b98316be36c76bb0ca5dba12e31

SHA512
dabd4716aa835d64312402699420db2901b250a654337950bd6c9c754a5b664110ff6372181666fc7a25fc17b6f157661e1ae218335db0e21865636374fdcd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwtadctsvykyvftnorspecialist_1s.exe
Filesize
7KB

MD5
00ec86346476b322164f65155fcbe547

SHA1
3c102841041b9cb4fe42da45fb913692eb1a0bcb

SHA256
57f5c94a48b0b800541dbb198e451cf4b344d583a64f6efa6dae70a667592787

SHA512
7daa0eb7d46795fcf27f05ac9499590c6068929621bb4e7913fec4df9957d7c219eacb70a64178521b67697d64053125e840708a6767c5737fa74c9b884fd0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwtadctsvykyvftnorspecialist_1s.exe
Filesize
7KB

MD5
00ec86346476b322164f65155fcbe547

SHA1
3c102841041b9cb4fe42da45fb913692eb1a0bcb

SHA256
57f5c94a48b0b800541dbb198e451cf4b344d583a64f6efa6dae70a667592787

SHA512
7daa0eb7d46795fcf27f05ac9499590c6068929621bb4e7913fec4df9957d7c219eacb70a64178521b67697d64053125e840708a6767c5737fa74c9b884fd0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwtadctsvykyvftnorspecialist_1s.exe
Filesize
7KB

MD5
00ec86346476b322164f65155fcbe547

SHA1
3c102841041b9cb4fe42da45fb913692eb1a0bcb

SHA256
57f5c94a48b0b800541dbb198e451cf4b344d583a64f6efa6dae70a667592787

SHA512
7daa0eb7d46795fcf27f05ac9499590c6068929621bb4e7913fec4df9957d7c219eacb70a64178521b67697d64053125e840708a6767c5737fa74c9b884fd0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\attribstuneov.exe
Filesize
95.4MB

MD5
d114fd76ac112754218a365c4a7451b3

SHA1
dde838d0aded5ee2aca964557f96b9a780ff2d4f

SHA256
02ee64bde01919a60c4c8b13591f1c1a4e1557120589e41e579060fbb2dbf763

SHA512
456ec5d0040d6ba310fa3b6b3a77eaa567210b6c751de3b2c3b9bd2ab23e6bd91daf00bb70184fbbf2fa096e757708a2193952474f6d60971c4d352ecd6e6b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\attribstuneov.exe
Filesize
95.4MB

MD5
d114fd76ac112754218a365c4a7451b3

SHA1
dde838d0aded5ee2aca964557f96b9a780ff2d4f

SHA256
02ee64bde01919a60c4c8b13591f1c1a4e1557120589e41e579060fbb2dbf763

SHA512
456ec5d0040d6ba310fa3b6b3a77eaa567210b6c751de3b2c3b9bd2ab23e6bd91daf00bb70184fbbf2fa096e757708a2193952474f6d60971c4d352ecd6e6b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\attribstuneov.exe
Filesize
95.4MB

MD5
d114fd76ac112754218a365c4a7451b3

SHA1
dde838d0aded5ee2aca964557f96b9a780ff2d4f

SHA256
02ee64bde01919a60c4c8b13591f1c1a4e1557120589e41e579060fbb2dbf763

SHA512
456ec5d0040d6ba310fa3b6b3a77eaa567210b6c751de3b2c3b9bd2ab23e6bd91daf00bb70184fbbf2fa096e757708a2193952474f6d60971c4d352ecd6e6b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\attribstuneov.exe
Filesize
95.4MB

MD5
d114fd76ac112754218a365c4a7451b3

SHA1
dde838d0aded5ee2aca964557f96b9a780ff2d4f

SHA256
02ee64bde01919a60c4c8b13591f1c1a4e1557120589e41e579060fbb2dbf763

SHA512
456ec5d0040d6ba310fa3b6b3a77eaa567210b6c751de3b2c3b9bd2ab23e6bd91daf00bb70184fbbf2fa096e757708a2193952474f6d60971c4d352ecd6e6b96

Download Submit
memory/1588-161-0x0000000000000000-mapping.dmp

Download
memory/2908-170-0x0000000000000000-mapping.dmp

Download
memory/2908-171-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2908-173-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2908-174-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3108-152-0x0000000000000000-mapping.dmp

Download
memory/3120-167-0x0000000007020000-0x00000000071E2000-memory.dmp

Filesize
1.8MB

Download
memory/3120-159-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/3120-166-0x0000000006730000-0x0000000006780000-memory.dmp

Filesize
320KB

Download
memory/3120-168-0x0000000007720000-0x0000000007C4C000-memory.dmp

Filesize
5.2MB

Download
memory/3120-165-0x0000000006DD0000-0x0000000006E46000-memory.dmp

Filesize
472KB

Download
memory/3120-154-0x0000000000000000-mapping.dmp

Download
memory/3120-155-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3120-160-0x0000000004ED0000-0x0000000004F0C000-memory.dmp

Filesize
240KB

Download
memory/3120-157-0x00000000053D0000-0x00000000059E8000-memory.dmp

Filesize
6.1MB

Download
memory/3120-158-0x0000000004F40000-0x000000000504A000-memory.dmp

Filesize
1.0MB

Download
memory/3616-138-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/3616-139-0x0000000007870000-0x0000000007892000-memory.dmp

Filesize
136KB

Download
memory/3616-135-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/3616-137-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/3616-132-0x0000000000000000-mapping.dmp

Download
memory/3616-136-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/4364-145-0x0000000005E40000-0x0000000005E5E000-memory.dmp

Filesize
120KB

Download
memory/4364-141-0x0000000002880000-0x00000000028B6000-memory.dmp

Filesize
216KB

Download
memory/4364-140-0x0000000000000000-mapping.dmp

Download
memory/4364-147-0x0000000006340000-0x000000000635A000-memory.dmp

Filesize
104KB

Download
memory/4364-146-0x0000000007690000-0x0000000007D0A000-memory.dmp

Filesize
6.5MB

Download
memory/4364-142-0x0000000005210000-0x0000000005838000-memory.dmp

Filesize
6.2MB

Download
memory/4364-143-0x0000000005000000-0x0000000005066000-memory.dmp

Filesize
408KB

Download
memory/4364-144-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/5004-148-0x0000000000000000-mapping.dmp

Download
memory/5004-151-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download