Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
27/11/2022, 07:00
General
-
Target
c1a44c5979923bc47730689584d1a8809afd07fd1550bbabee6f231aebb76ac2.exe
-
Size
148KB
-
MD5
a7b9f9eefb808b9e695016812bb17984
-
SHA1
e7f86e5fa85b2a6d9596c5f5e8cd9c5bc9951b6f
-
SHA256
c1a44c5979923bc47730689584d1a8809afd07fd1550bbabee6f231aebb76ac2
-
SHA512
e191965e4718c1908cf9769c18ba1c0622b7510e28304fef3a72c1d9425f4b358be4b4fdb5ab731cbba35346a058466087c2e8ea72b5c3ad17e65d3a396d0cbf
-
SSDEEP
3072:TtRzU0DzjnzJCB5BMWTkyzgE6OnAF00PH6beSLwlJ:ntzzzJOTkyXH8H6yfL
Malware Config
Extracted
redline
newlogs
77.73.133.70:38819
-
auth_value
05a73a1692c3aebb2a26f1a593237a77
Extracted
redline
KRIPT
212.8.246.157:32348
-
auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1a44c5979923bc47730689584d1a8809afd07fd1550bbabee6f231aebb76ac2.exe"C:\Users\Admin\AppData\Local\Temp\c1a44c5979923bc47730689584d1a8809afd07fd1550bbabee6f231aebb76ac2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DBB.exeC:\Users\Admin\AppData\Local\Temp\DBB.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1F02.exeC:\Users\Admin\AppData\Local\Temp\1F02.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\354A.exeC:\Users\Admin\AppData\Local\Temp\354A.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD54f6f1e21166488e9c7e1b395051bbd9d
SHA174e4378d17d36bbaffabb024e50e57be735d8b32
SHA256538b97821cb7545514296decdcfe474717ce95648c4260da497bfd233aa99ffc
SHA51224e0f9aa61d35b754d1fe26a4a4a44da657f196d7662f6d2cc26ae7f24d44a80d47de8d202d20c32c67d176ffc2a783805564a81ee7e5efabd5537ebd1aceb84
-
Filesize
209KB
MD54f6f1e21166488e9c7e1b395051bbd9d
SHA174e4378d17d36bbaffabb024e50e57be735d8b32
SHA256538b97821cb7545514296decdcfe474717ce95648c4260da497bfd233aa99ffc
SHA51224e0f9aa61d35b754d1fe26a4a4a44da657f196d7662f6d2cc26ae7f24d44a80d47de8d202d20c32c67d176ffc2a783805564a81ee7e5efabd5537ebd1aceb84
-
Filesize
2.4MB
MD56720cef37d560fb7d6fee8aa23c9ecbd
SHA1a0ad2c86e4893ac1d13806450663c191d479d4ab
SHA2561c35a69722c777c8d255e7b0a6fc0d0667d788fea2121a41d00ad91fed42c17c
SHA51247d49da37cd0294a09ef7acb9023e0f979e8e730a6e9cbb85bb5d98e2de6f5bf8818b68121ee67eae376426d63c5429946fcc2355ee7c9b0d3840a3ccd59ac80
-
Filesize
1.0MB
MD5fc78f5650188734808f725d0934650a1
SHA1e5184b4aa5de2d1121572fbfd3c2f05bf2b9a000
SHA256319ead10ec14192ea1ba28c3079e72a581bbdbb13a67a3ccbe3066dfec86179a
SHA512d74f0f7e0fb32d3ac0ef09fdd6762032044bb48ca298ee68e9e7cfd327db812bff460efe89495778febddeb5fdb3d8aa3d6c1f61d1aff34dcaa0a2bf07f2f3f0
-
Filesize
1.0MB
MD5fc78f5650188734808f725d0934650a1
SHA1e5184b4aa5de2d1121572fbfd3c2f05bf2b9a000
SHA256319ead10ec14192ea1ba28c3079e72a581bbdbb13a67a3ccbe3066dfec86179a
SHA512d74f0f7e0fb32d3ac0ef09fdd6762032044bb48ca298ee68e9e7cfd327db812bff460efe89495778febddeb5fdb3d8aa3d6c1f61d1aff34dcaa0a2bf07f2f3f0
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
68KB
-
Filesize
360KB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
68KB
-
Filesize
360KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
4.8MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
964KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
964KB
-
Filesize
1.6MB
-
Filesize
1.4MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
4.8MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
6.0MB
-
Filesize
160KB
-
Filesize
408KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
160KB
-
Filesize
1.8MB
-
Filesize
5.2MB