redline | 48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9

Analysis

max time kernel
152s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe
Size

186KB
MD5

b2850332aeb039fa7d26128c37071815
SHA1

6df0c8e9c8e6bf078b60ea6dbe869911a08c0646
SHA256

48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9
SHA512

13d32614e506c056c8093b45cfce3d1f9e8b40f82d9d771c7d589d16fc922d4d30d97511d26cf624837108c5b364c3e2f7092b76555845ed107b88c4fe12aa28
SSDEEP

3072:cIKy4vY2FjL8BgWH/Opk5F42vWBVXgpFoTW6NLI/khRLkeozGMw2AIhe:cPyaL8BgImriWXgpFoTW6ZI/CxoC6Ax

Score

10^/10

redline smokeloader new backdoor infostealer trojan

Malware Config

Extracted

Family

redline

Botnet

new

chardhesha.xyz:81

jalocliche.xyz:81

Attributes

auth_value
0ae189161615f61e951d226417eab9d5

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1672-133-0x00000000008E0000-0x00000000008E9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2672-159-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

CEE4.exe3446.exe3C36.exedownloadsupdated-now-1-3_2022-11-23_17-36.exeGolana_2022-11-23_18-17.exe

pid process

3284 CEE4.exe
1836 3446.exe
4940 3C36.exe
3568 downloadsupdated-now-1-3_2022-11-23_17-36.exe
4548 Golana_2022-11-23_18-17.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

3446.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 3446.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3284	CEE4.exe
1836	3446.exe
4940	3C36.exe
3568	downloadsupdated-now-1-3_2022-11-23_17-36.exe
4548	Golana_2022-11-23_18-17.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	3446.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe

pid	process
1672	48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe
1672	48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2264
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe

pid process

1672 48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe

pid	process
2264

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

CEE4.exe

description	pid	process
Token: SeDebugPrivilege	3284	CEE4.exe
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3446.exe

description	pid	process	target process
PID 2264 wrote to memory of 3284	2264		CEE4.exe
PID 2264 wrote to memory of 3284	2264		CEE4.exe
PID 2264 wrote to memory of 3284	2264		CEE4.exe
PID 2264 wrote to memory of 1836	2264		3446.exe
PID 2264 wrote to memory of 1836	2264		3446.exe
PID 2264 wrote to memory of 1836	2264		3446.exe
PID 2264 wrote to memory of 4940	2264		3C36.exe
PID 2264 wrote to memory of 4940	2264		3C36.exe
PID 2264 wrote to memory of 4940	2264		3C36.exe
PID 1836 wrote to memory of 3568	1836	3446.exe	downloadsupdated-now-1-3_2022-11-23_17-36.exe
PID 1836 wrote to memory of 3568	1836	3446.exe	downloadsupdated-now-1-3_2022-11-23_17-36.exe
PID 1836 wrote to memory of 3568	1836	3446.exe	downloadsupdated-now-1-3_2022-11-23_17-36.exe
PID 1836 wrote to memory of 4548	1836	3446.exe	Golana_2022-11-23_18-17.exe
PID 1836 wrote to memory of 4548	1836	3446.exe	Golana_2022-11-23_18-17.exe
PID 1836 wrote to memory of 4548	1836	3446.exe	Golana_2022-11-23_18-17.exe

C:\Users\Admin\AppData\Local\Temp\48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe
"C:\Users\Admin\AppData\Local\Temp\48b427f4d40f61209cb7be06c1d47c13ce73f6ce5887e37228c6f572ab2994c9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1672

C:\Users\Admin\AppData\Local\Temp\CEE4.exe
C:\Users\Admin\AppData\Local\Temp\CEE4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  PID:1516

C:\Users\Admin\AppData\Local\Temp\3446.exe
C:\Users\Admin\AppData\Local\Temp\3446.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\downloadsupdated-now-1-3_2022-11-23_17-36.exe
  "C:\Users\Admin\AppData\Local\Temp\downloadsupdated-now-1-3_2022-11-23_17-36.exe"
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Users\Admin\AppData\Local\Temp\Golana_2022-11-23_18-17.exe
  "C:\Users\Admin\AppData\Local\Temp\Golana_2022-11-23_18-17.exe"
  2⤵
  - Executes dropped EXE
  PID:4548

C:\Users\Admin\AppData\Local\Temp\3C36.exe
C:\Users\Admin\AppData\Local\Temp\3C36.exe
1⤵
- Executes dropped EXE
PID:4940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3446.exe

Filesize
2.6MB

MD5
4a832ed1585ffeb8508f1d8844a6b461

SHA1
3b74d193e25826495b9916ed426964ebd634d18c

SHA256
27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7

SHA512
28e0a908cd43719c1d288dcc8306c171f53b9cb98dbb178b94e8a59db9318524e49cf8f166fd8ac6614a55e0cf195717a9b4727a96c1f2f1378771f677c7a98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3446.exe

Filesize
2.6MB

MD5
4a832ed1585ffeb8508f1d8844a6b461

SHA1
3b74d193e25826495b9916ed426964ebd634d18c

SHA256
27a4a03a1dbe6efccf3b0d735dbac82e451012f99f77d5ea1a126955e7a332d7

SHA512
28e0a908cd43719c1d288dcc8306c171f53b9cb98dbb178b94e8a59db9318524e49cf8f166fd8ac6614a55e0cf195717a9b4727a96c1f2f1378771f677c7a98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C36.exe

Filesize
217KB

MD5
b67e4b134ab08107bcf196c7dc287ab7

SHA1
c4869b48c45413565d422c88e7f1eae482498349

SHA256
871546481d1e7ef58ee941366cfd776961d58996665e4e6f108f6b7bd58f188f

SHA512
99cd23a8b2d4eb85c7559b0c8b7dffbf1688867bfeb15dbdc1df4176142a8d2a2b2845490509ef2acf1c7e4ccb3ce9d38747b33b83b060079d2decae0d9357f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C36.exe

Filesize
217KB

MD5
b67e4b134ab08107bcf196c7dc287ab7

SHA1
c4869b48c45413565d422c88e7f1eae482498349

SHA256
871546481d1e7ef58ee941366cfd776961d58996665e4e6f108f6b7bd58f188f

SHA512
99cd23a8b2d4eb85c7559b0c8b7dffbf1688867bfeb15dbdc1df4176142a8d2a2b2845490509ef2acf1c7e4ccb3ce9d38747b33b83b060079d2decae0d9357f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEE4.exe

Filesize
6KB

MD5
1fa7079d26058ea034b51f04938b4f44

SHA1
2cccd49d886cdfcd80da806971962d93b6eeaf45

SHA256
19c00af81f362be665658f611e54d1a6e460bcdde64a15e3db3910841374e2a0

SHA512
43053b5d324b61ac922a38b8991511e21a9cdcea6e240720e7ec01f122dea06194efdb29a2e4c6b6628bfadbc7ff7846b0a324b6b5472d1501094e3dbae24f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEE4.exe

Filesize
6KB

MD5
1fa7079d26058ea034b51f04938b4f44

SHA1
2cccd49d886cdfcd80da806971962d93b6eeaf45

SHA256
19c00af81f362be665658f611e54d1a6e460bcdde64a15e3db3910841374e2a0

SHA512
43053b5d324b61ac922a38b8991511e21a9cdcea6e240720e7ec01f122dea06194efdb29a2e4c6b6628bfadbc7ff7846b0a324b6b5472d1501094e3dbae24f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Golana_2022-11-23_18-17.exe

Filesize
2.2MB

MD5
1c16ea996a2f54947883b5835e826a83

SHA1
a6aa88825ca5ce1635ab1284219a80966cbef7d2

SHA256
b8bbe249d88365c88ac3c72cfb55a625ca27171aeee71f915d2564592afc873d

SHA512
1507ef941553bccc41ec2db5fbe01a21b9367d90429751756657ddd0df2552ff3ba40f4cc7e5f3c6b4d97679ac01fb9d1ec91fd4296c93bb20582513a9748858

Download Submit
C:\Users\Admin\AppData\Local\Temp\Golana_2022-11-23_18-17.exe

Filesize
2.2MB

MD5
1c16ea996a2f54947883b5835e826a83

SHA1
a6aa88825ca5ce1635ab1284219a80966cbef7d2

SHA256
b8bbe249d88365c88ac3c72cfb55a625ca27171aeee71f915d2564592afc873d

SHA512
1507ef941553bccc41ec2db5fbe01a21b9367d90429751756657ddd0df2552ff3ba40f4cc7e5f3c6b4d97679ac01fb9d1ec91fd4296c93bb20582513a9748858

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloadsupdated-now-1-3_2022-11-23_17-36.exe

Filesize
316KB

MD5
33cd3263865106e58dc0bde2743e61be

SHA1
eef698be023823262eaa3528e866f2c00a702500

SHA256
a9959ac2c46261b6d061e0d4d73d5d379d3f3470c9be7bb5d951efc45342bb97

SHA512
60be0db9848a9d3b2a95bf0c5b91b306a4e6b6ecc8c784cf400601914c5b1b0fee20f8a03c84c16f055cd63167243e65a01870166f7322a146e9139f90f9e241

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloadsupdated-now-1-3_2022-11-23_17-36.exe

Filesize
316KB

MD5
33cd3263865106e58dc0bde2743e61be

SHA1
eef698be023823262eaa3528e866f2c00a702500

SHA256
a9959ac2c46261b6d061e0d4d73d5d379d3f3470c9be7bb5d951efc45342bb97

SHA512
60be0db9848a9d3b2a95bf0c5b91b306a4e6b6ecc8c784cf400601914c5b1b0fee20f8a03c84c16f055cd63167243e65a01870166f7322a146e9139f90f9e241

Download Submit
memory/1516-156-0x00000000014A0000-0x00000000014D6000-memory.dmp

Filesize
216KB

Download
memory/1516-155-0x0000000000000000-mapping.dmp

Download
memory/1516-157-0x00000000058D0000-0x0000000005EF8000-memory.dmp

Filesize
6.2MB

Download
memory/1672-135-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/1672-134-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/1672-133-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download
memory/1672-132-0x000000000098E000-0x000000000099E000-memory.dmp

Filesize
64KB

Download
memory/1836-140-0x0000000000000000-mapping.dmp

Download
memory/2672-158-0x0000000000000000-mapping.dmp

Download
memory/2672-159-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3284-144-0x00000000061A0000-0x0000000006744000-memory.dmp

Filesize
5.6MB

Download
memory/3284-145-0x0000000005C20000-0x0000000005C42000-memory.dmp

Filesize
136KB

Download
memory/3284-139-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/3284-143-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/3284-136-0x0000000000000000-mapping.dmp

Download
memory/3568-149-0x0000000000000000-mapping.dmp

Download
memory/3568-160-0x000000000069D000-0x00000000006CE000-memory.dmp

Filesize
196KB

Download
memory/3568-162-0x0000000002290000-0x00000000022CE000-memory.dmp

Filesize
248KB

Download
memory/4548-152-0x0000000000000000-mapping.dmp

Download
memory/4940-146-0x0000000000000000-mapping.dmp

Download