redline | a0bf7c1184092027ccea8b4381e7f359662bcc317ac4c7a2e02459d1b66d9da6

Resubmissions

21/10/2022, 14:49

221021-r7edyaffe2 10

19/10/2022, 14:15

221019-rknzvsbggq 10

19/10/2022, 09:36

221019-lkxn4sfgcq 10

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20540f8cbd1837c3d99da3b542a7155d.exe
Size

687KB
MD5

20540f8cbd1837c3d99da3b542a7155d
SHA1

1b33b15b168d69b6d594ea049f8d92812f25b9a6
SHA256

a0bf7c1184092027ccea8b4381e7f359662bcc317ac4c7a2e02459d1b66d9da6
SHA512

2ab4669b9429aab13e43993e6dd7cdbcfdaa0c8942364081bc8ace85997c6b641769615f54f41ba1e7751fbd83639644f533294392617c201e6951c9188e2de0
SSDEEP

3072:9ahKyd2n31s5nFiizBaaAjLtdyuIIkIA4QWMHb030FhCt64yo:9ahOABdGLnyuIIkIxV0FB

Score

10^/10

redline smokeloader testing backdoor discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

Testing

46.3.199.124:27968

Attributes

auth_value
2e03f2e71c0fde73929d6d088968e2de

Signatures

Detects Smokeloader packer 4 IoCs

resource	yara_rule
behavioral1/memory/560-99-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/560-100-0x0000000000402E87-mapping.dmp	family_smokeloader
behavioral1/memory/560-103-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/560-104-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/856-77-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/856-76-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/856-78-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/856-79-0x000000000042211E-mapping.dmp	family_redline
behavioral1/memory/856-82-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/856-84-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
2036	CARNAT~2.EXE
1520	Gvnufnpwhsacqcarnature_s.exe
856	CARNAT~2.EXE
560	Gvnufnpwhsacqcarnature_s.exe

Loads dropped DLL 3 IoCs

pid	Process
2036	CARNAT~2.EXE
2036	CARNAT~2.EXE
1520	Gvnufnpwhsacqcarnature_s.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	20540f8cbd1837c3d99da3b542a7155d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	20540f8cbd1837c3d99da3b542a7155d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 856	2036	CARNAT~2.EXE	31
PID 1520 set thread context of 560	1520	Gvnufnpwhsacqcarnature_s.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gvnufnpwhsacqcarnature_s.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gvnufnpwhsacqcarnature_s.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gvnufnpwhsacqcarnature_s.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
432	powershell.exe
856	CARNAT~2.EXE
996	powershell.exe
856	CARNAT~2.EXE
560	Gvnufnpwhsacqcarnature_s.exe
560	Gvnufnpwhsacqcarnature_s.exe
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
560	Gvnufnpwhsacqcarnature_s.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	CARNAT~2.EXE
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1520	Gvnufnpwhsacqcarnature_s.exe
Token: SeDebugPrivilege	856	CARNAT~2.EXE
Token: SeDebugPrivilege	996	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2036	1292	20540f8cbd1837c3d99da3b542a7155d.exe	27
PID 1292 wrote to memory of 2036	1292	20540f8cbd1837c3d99da3b542a7155d.exe	27
PID 1292 wrote to memory of 2036	1292	20540f8cbd1837c3d99da3b542a7155d.exe	27
PID 1292 wrote to memory of 2036	1292	20540f8cbd1837c3d99da3b542a7155d.exe	27
PID 2036 wrote to memory of 432	2036	CARNAT~2.EXE	28
PID 2036 wrote to memory of 432	2036	CARNAT~2.EXE	28
PID 2036 wrote to memory of 432	2036	CARNAT~2.EXE	28
PID 2036 wrote to memory of 432	2036	CARNAT~2.EXE	28
PID 2036 wrote to memory of 1520	2036	CARNAT~2.EXE	30
PID 2036 wrote to memory of 1520	2036	CARNAT~2.EXE	30
PID 2036 wrote to memory of 1520	2036	CARNAT~2.EXE	30
PID 2036 wrote to memory of 1520	2036	CARNAT~2.EXE	30
PID 2036 wrote to memory of 856	2036	CARNAT~2.EXE	31
PID 2036 wrote to memory of 856	2036	CARNAT~2.EXE	31
PID 2036 wrote to memory of 856	2036	CARNAT~2.EXE	31
PID 2036 wrote to memory of 856	2036	CARNAT~2.EXE	31
PID 2036 wrote to memory of 856	2036	CARNAT~2.EXE	31
PID 2036 wrote to memory of 856	2036	CARNAT~2.EXE	31
PID 2036 wrote to memory of 856	2036	CARNAT~2.EXE	31
PID 2036 wrote to memory of 856	2036	CARNAT~2.EXE	31
PID 2036 wrote to memory of 856	2036	CARNAT~2.EXE	31
PID 1520 wrote to memory of 996	1520	Gvnufnpwhsacqcarnature_s.exe	33
PID 1520 wrote to memory of 996	1520	Gvnufnpwhsacqcarnature_s.exe	33
PID 1520 wrote to memory of 996	1520	Gvnufnpwhsacqcarnature_s.exe	33
PID 1520 wrote to memory of 996	1520	Gvnufnpwhsacqcarnature_s.exe	33
PID 1520 wrote to memory of 560	1520	Gvnufnpwhsacqcarnature_s.exe	35
PID 1520 wrote to memory of 560	1520	Gvnufnpwhsacqcarnature_s.exe	35
PID 1520 wrote to memory of 560	1520	Gvnufnpwhsacqcarnature_s.exe	35
PID 1520 wrote to memory of 560	1520	Gvnufnpwhsacqcarnature_s.exe	35
PID 1520 wrote to memory of 560	1520	Gvnufnpwhsacqcarnature_s.exe	35
PID 1520 wrote to memory of 560	1520	Gvnufnpwhsacqcarnature_s.exe	35
PID 1520 wrote to memory of 560	1520	Gvnufnpwhsacqcarnature_s.exe	35

C:\Users\Admin\AppData\Local\Temp\20540f8cbd1837c3d99da3b542a7155d.exe
"C:\Users\Admin\AppData\Local\Temp\20540f8cbd1837c3d99da3b542a7155d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe
    "C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:996
  - - C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe
      C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:560
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe

Filesize
6KB

MD5
69d0272e2d6cfee950467863be0348db

SHA1
15b2c9a800b2fdcbf39f23285751fea6e6568c9a

SHA256
24ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e

SHA512
18773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe

Filesize
6KB

MD5
69d0272e2d6cfee950467863be0348db

SHA1
15b2c9a800b2fdcbf39f23285751fea6e6568c9a

SHA256
24ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e

SHA512
18773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe

Filesize
6KB

MD5
69d0272e2d6cfee950467863be0348db

SHA1
15b2c9a800b2fdcbf39f23285751fea6e6568c9a

SHA256
24ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e

SHA512
18773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE

Filesize
333.8MB

MD5
0195b0838e4bafd5e9eed41ac4e8a9cc

SHA1
d813f54a41899ea02a97cf4988737787a431abe5

SHA256
1af1b6698ab7e6fa795eb5748832aef7d98b9fa8ea3d3f05f724691014c96bca

SHA512
0ea148d95b56f586e4d12e49d56ddaff02ed031f9200c7e521120cd49234827d682be99cb75380ccab9cdd4fdf322b98c8a733edc09f98bd70bd570b7e1f5c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE

Filesize
333.8MB

MD5
0195b0838e4bafd5e9eed41ac4e8a9cc

SHA1
d813f54a41899ea02a97cf4988737787a431abe5

SHA256
1af1b6698ab7e6fa795eb5748832aef7d98b9fa8ea3d3f05f724691014c96bca

SHA512
0ea148d95b56f586e4d12e49d56ddaff02ed031f9200c7e521120cd49234827d682be99cb75380ccab9cdd4fdf322b98c8a733edc09f98bd70bd570b7e1f5c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE

Filesize
333.8MB

MD5
0195b0838e4bafd5e9eed41ac4e8a9cc

SHA1
d813f54a41899ea02a97cf4988737787a431abe5

SHA256
1af1b6698ab7e6fa795eb5748832aef7d98b9fa8ea3d3f05f724691014c96bca

SHA512
0ea148d95b56f586e4d12e49d56ddaff02ed031f9200c7e521120cd49234827d682be99cb75380ccab9cdd4fdf322b98c8a733edc09f98bd70bd570b7e1f5c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
03b8bd61e720fcf869a47e50796e753f

SHA1
fcbe061ada55fa8e70a32db5ea57d18191b60124

SHA256
bad5d8780bf07e21973372c2ab8098a5d271ef98c86421668aac786d62c94f0b

SHA512
ae3ae30beaf29c424f2a158308cab7a3aa7db7cfd325d56a574b6d5dcbb095a968b1d09b392eac94c13fa281d826cc50f5cc215747bdd944e0f1c5109ef0bd75

Download Submit
\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe

Filesize
6KB

MD5
69d0272e2d6cfee950467863be0348db

SHA1
15b2c9a800b2fdcbf39f23285751fea6e6568c9a

SHA256
24ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e

SHA512
18773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5

Download Submit
\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe

Filesize
6KB

MD5
69d0272e2d6cfee950467863be0348db

SHA1
15b2c9a800b2fdcbf39f23285751fea6e6568c9a

SHA256
24ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e

SHA512
18773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE

Filesize
333.8MB

MD5
0195b0838e4bafd5e9eed41ac4e8a9cc

SHA1
d813f54a41899ea02a97cf4988737787a431abe5

SHA256
1af1b6698ab7e6fa795eb5748832aef7d98b9fa8ea3d3f05f724691014c96bca

SHA512
0ea148d95b56f586e4d12e49d56ddaff02ed031f9200c7e521120cd49234827d682be99cb75380ccab9cdd4fdf322b98c8a733edc09f98bd70bd570b7e1f5c3a

Download Submit
memory/432-63-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/432-64-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/432-65-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/560-104-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/560-99-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/560-96-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/560-97-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/560-103-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/856-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/856-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/856-82-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/856-84-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/856-78-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/856-74-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/856-77-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/996-94-0x00000000690D0000-0x000000006967B000-memory.dmp

Filesize
5.7MB

Download
memory/996-92-0x00000000690D0000-0x000000006967B000-memory.dmp

Filesize
5.7MB

Download
memory/996-93-0x00000000690D0000-0x000000006967B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-86-0x0000000005490000-0x000000000555E000-memory.dmp

Filesize
824KB

Download
memory/1520-87-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/1520-70-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/2036-60-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/2036-59-0x0000000005530000-0x00000000055F2000-memory.dmp

Filesize
776KB

Download
memory/2036-58-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/2036-57-0x00000000012A0000-0x00000000012A8000-memory.dmp

Filesize
32KB

Download