redline | a0bf7c1184092027ccea8b4381e7f359662bcc317ac4c7a2e02459d1b66d9da6

Resubmissions

21/10/2022, 14:49

221021-r7edyaffe2 10

19/10/2022, 14:15

221019-rknzvsbggq 10

19/10/2022, 09:36

221019-lkxn4sfgcq 10

Analysis

max time kernel
84s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20540f8cbd1837c3d99da3b542a7155d.exe
Size

687KB
MD5

20540f8cbd1837c3d99da3b542a7155d
SHA1

1b33b15b168d69b6d594ea049f8d92812f25b9a6
SHA256

a0bf7c1184092027ccea8b4381e7f359662bcc317ac4c7a2e02459d1b66d9da6
SHA512

2ab4669b9429aab13e43993e6dd7cdbcfdaa0c8942364081bc8ace85997c6b641769615f54f41ba1e7751fbd83639644f533294392617c201e6951c9188e2de0
SSDEEP

3072:9ahKyd2n31s5nFiizBaaAjLtdyuIIkIA4QWMHb030FhCt64yo:9ahOABdGLnyuIIkIxV0FB

Score

10^/10

redline smokeloader testing backdoor infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

Testing

46.3.199.124:27968

Attributes

auth_value
2e03f2e71c0fde73929d6d088968e2de

Signatures

Detects Smokeloader packer 3 IoCs

resource	yara_rule
behavioral2/memory/2032-175-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/2032-177-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/2032-178-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/324-156-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
2620	CARNAT~2.EXE
4252	Gvnufnpwhsacqcarnature_s.exe
4388	CARNAT~2.EXE
1324	CARNAT~2.EXE
1484	CARNAT~2.EXE
324	CARNAT~2.EXE

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	CARNAT~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Gvnufnpwhsacqcarnature_s.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	20540f8cbd1837c3d99da3b542a7155d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	20540f8cbd1837c3d99da3b542a7155d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2620 set thread context of 324	2620	CARNAT~2.EXE	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5036	powershell.exe
5036	powershell.exe
2620	CARNAT~2.EXE
2620	CARNAT~2.EXE
2620	CARNAT~2.EXE
2620	CARNAT~2.EXE
2620	CARNAT~2.EXE
2620	CARNAT~2.EXE
3064	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	CARNAT~2.EXE
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	4252	Gvnufnpwhsacqcarnature_s.exe
Token: SeDebugPrivilege	3064	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2620	1128	20540f8cbd1837c3d99da3b542a7155d.exe	83
PID 1128 wrote to memory of 2620	1128	20540f8cbd1837c3d99da3b542a7155d.exe	83
PID 1128 wrote to memory of 2620	1128	20540f8cbd1837c3d99da3b542a7155d.exe	83
PID 2620 wrote to memory of 5036	2620	CARNAT~2.EXE	89
PID 2620 wrote to memory of 5036	2620	CARNAT~2.EXE	89
PID 2620 wrote to memory of 5036	2620	CARNAT~2.EXE	89
PID 2620 wrote to memory of 4252	2620	CARNAT~2.EXE	93
PID 2620 wrote to memory of 4252	2620	CARNAT~2.EXE	93
PID 2620 wrote to memory of 4252	2620	CARNAT~2.EXE	93
PID 2620 wrote to memory of 4388	2620	CARNAT~2.EXE	94
PID 2620 wrote to memory of 4388	2620	CARNAT~2.EXE	94
PID 2620 wrote to memory of 4388	2620	CARNAT~2.EXE	94
PID 2620 wrote to memory of 1324	2620	CARNAT~2.EXE	95
PID 2620 wrote to memory of 1324	2620	CARNAT~2.EXE	95
PID 2620 wrote to memory of 1324	2620	CARNAT~2.EXE	95
PID 2620 wrote to memory of 1484	2620	CARNAT~2.EXE	97
PID 2620 wrote to memory of 1484	2620	CARNAT~2.EXE	97
PID 2620 wrote to memory of 1484	2620	CARNAT~2.EXE	97
PID 2620 wrote to memory of 324	2620	CARNAT~2.EXE	96
PID 2620 wrote to memory of 324	2620	CARNAT~2.EXE	96
PID 2620 wrote to memory of 324	2620	CARNAT~2.EXE	96
PID 2620 wrote to memory of 324	2620	CARNAT~2.EXE	96
PID 2620 wrote to memory of 324	2620	CARNAT~2.EXE	96
PID 2620 wrote to memory of 324	2620	CARNAT~2.EXE	96
PID 2620 wrote to memory of 324	2620	CARNAT~2.EXE	96
PID 2620 wrote to memory of 324	2620	CARNAT~2.EXE	96
PID 4252 wrote to memory of 3064	4252	Gvnufnpwhsacqcarnature_s.exe	98
PID 4252 wrote to memory of 3064	4252	Gvnufnpwhsacqcarnature_s.exe	98
PID 4252 wrote to memory of 3064	4252	Gvnufnpwhsacqcarnature_s.exe	98

C:\Users\Admin\AppData\Local\Temp\20540f8cbd1837c3d99da3b542a7155d.exe
"C:\Users\Admin\AppData\Local\Temp\20540f8cbd1837c3d99da3b542a7155d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe
    "C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe
      C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe
      4⤵
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe
      C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe
      4⤵
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
    3⤵
    - Executes dropped EXE
    PID:4388
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
    3⤵
    - Executes dropped EXE
    PID:1324
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
    3⤵
    - Executes dropped EXE
    PID:324
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE
    3⤵
    - Executes dropped EXE
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c6c3bc61f6d681667bb6675d48a25823

SHA1
705a6030310516719021409fcf1d649e806b0904

SHA256
e3617627f771b48393428d79e783eca4ef3eea86ca48473d7c0c6d5620cb8f6b

SHA512
8ff451357aa6deb786394f423528d7e771076a65be519c3ce1621ad86380d8c43656e4b838e5130a129480679cf01260f3529f4627b2c40cd5ea77fcfef1177a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe

Filesize
6KB

MD5
69d0272e2d6cfee950467863be0348db

SHA1
15b2c9a800b2fdcbf39f23285751fea6e6568c9a

SHA256
24ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e

SHA512
18773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe

Filesize
6KB

MD5
69d0272e2d6cfee950467863be0348db

SHA1
15b2c9a800b2fdcbf39f23285751fea6e6568c9a

SHA256
24ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e

SHA512
18773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe

Filesize
6KB

MD5
69d0272e2d6cfee950467863be0348db

SHA1
15b2c9a800b2fdcbf39f23285751fea6e6568c9a

SHA256
24ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e

SHA512
18773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe

Filesize
6KB

MD5
69d0272e2d6cfee950467863be0348db

SHA1
15b2c9a800b2fdcbf39f23285751fea6e6568c9a

SHA256
24ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e

SHA512
18773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE

Filesize
333.8MB

MD5
0195b0838e4bafd5e9eed41ac4e8a9cc

SHA1
d813f54a41899ea02a97cf4988737787a431abe5

SHA256
1af1b6698ab7e6fa795eb5748832aef7d98b9fa8ea3d3f05f724691014c96bca

SHA512
0ea148d95b56f586e4d12e49d56ddaff02ed031f9200c7e521120cd49234827d682be99cb75380ccab9cdd4fdf322b98c8a733edc09f98bd70bd570b7e1f5c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE

Filesize
333.8MB

MD5
0195b0838e4bafd5e9eed41ac4e8a9cc

SHA1
d813f54a41899ea02a97cf4988737787a431abe5

SHA256
1af1b6698ab7e6fa795eb5748832aef7d98b9fa8ea3d3f05f724691014c96bca

SHA512
0ea148d95b56f586e4d12e49d56ddaff02ed031f9200c7e521120cd49234827d682be99cb75380ccab9cdd4fdf322b98c8a733edc09f98bd70bd570b7e1f5c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE

Filesize
242.6MB

MD5
2e4dccf3b9ee93193d8c6d5a53ce67f9

SHA1
702c9c3539a9972ff536591eec204ee940b15c4d

SHA256
908a24b47100390c507d2ad862fee02778725c6441a32d4a8156f8ad7ca0971d

SHA512
d7c2950efdb29112a51885bcd1bafa659e446b7884f41139948eeb5c1b895dc99a9ab5c5d49526b9236bd3eca0e9bfcce453fe2dc7464490a7dd46a2a2f1296a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE

Filesize
250.5MB

MD5
eaa64c1948a54316df94e236e943baa5

SHA1
8573a5874151df386771919b0f9e35ecaf5e7595

SHA256
477439a8ced2f94732a720ca38b798a64b0ba405b1a422321bf6d6d389d45137

SHA512
e3ce85845e4391eb814bd434e8d19f164b6aac32c9b496ab642876ad682b6fb5fa3cb0333930ba52ec0cb2c54040f7b5cc066e63656410165a9e427071bd5615

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE

Filesize
256.2MB

MD5
f3580a24e5b6be6bd315cd57045653ae

SHA1
2147c3ac54e1303b8f339edcd16bbb5424b5a012

SHA256
76f6ff38b205d631ff1670119ef59a2cbbbbf08ffad5cff11c5a7bedfe3fe6df

SHA512
dc6d3c6a42d253c5a1f997303d597d6785bfa89658a629243b08f2c335d3217f4914c1662549a076ae344fe399d748cf6ff7038cefb525f11e0fd5274acd85ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE

Filesize
250.1MB

MD5
e7d7c007e5ea903da40ac7d7bcecd547

SHA1
f1e5f426d7751547d34dc8961a0b1b8a92a9c9c0

SHA256
a5fe95b8eb02d554157c47d5d660ff83c7682149d41a4d180ffd9ffad1d2bc1c

SHA512
9530553764f1a82a2b08f831a2e9a54a457df1370b01a6171e18d587a0d62c9d256f90256a9e3984b50decf8372487efbabd3d8433b597100bed5dc45481e302

Download Submit
memory/324-168-0x0000000005F50000-0x0000000005FC6000-memory.dmp

Filesize
472KB

Download
memory/324-170-0x0000000007490000-0x0000000007652000-memory.dmp

Filesize
1.8MB

Download
memory/324-171-0x0000000007B90000-0x00000000080BC000-memory.dmp

Filesize
5.2MB

Download
memory/324-161-0x0000000004F00000-0x0000000004F12000-memory.dmp

Filesize
72KB

Download
memory/324-169-0x0000000005FD0000-0x0000000006020000-memory.dmp

Filesize
320KB

Download
memory/324-166-0x0000000006060000-0x0000000006604000-memory.dmp

Filesize
5.6MB

Download
memory/324-167-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/324-162-0x0000000004F90000-0x0000000004FCC000-memory.dmp

Filesize
240KB

Download
memory/324-160-0x0000000004FD0000-0x00000000050DA000-memory.dmp

Filesize
1.0MB

Download
memory/324-159-0x0000000005490000-0x0000000005AA8000-memory.dmp

Filesize
6.1MB

Download
memory/324-156-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2032-175-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2032-178-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2032-177-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2620-135-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/2620-136-0x0000000005E10000-0x0000000005E32000-memory.dmp

Filesize
136KB

Download
memory/4252-148-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/5036-140-0x0000000005130000-0x0000000005196000-memory.dmp

Filesize
408KB

Download
memory/5036-142-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/5036-138-0x00000000029E0000-0x0000000002A16000-memory.dmp

Filesize
216KB

Download
memory/5036-141-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/5036-144-0x00000000064F0000-0x000000000650A000-memory.dmp

Filesize
104KB

Download
memory/5036-143-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/5036-139-0x0000000005480000-0x0000000005AA8000-memory.dmp

Filesize
6.2MB

Download