Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
26-12-2022 07:53
General
-
Target
8cdbfa30b86f34fb01e03870471ab66f4cf800086278daa3a0df94179ada3bfb.exe
-
Size
231KB
-
MD5
b4ce27974da93fd1cbb25d6c801bcc68
-
SHA1
e3ab007ca97791e74c954725d3620e98f0f150bf
-
SHA256
8cdbfa30b86f34fb01e03870471ab66f4cf800086278daa3a0df94179ada3bfb
-
SHA512
7346310dd8cd173d86b24f8497dc80b85ff15d1796ed35abfeb8ba74ea9cae5ac3275ca6eb18bc7de58ba6d3b0c290b7d88847daa0596fc79155a0e3e1844e91
-
SSDEEP
3072:0HXaL795R0oOdA9DLm+QlS1g/tK8MytgaLrcSb54VIcVTuh:nL7Bbh9D63tK8JbIr
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
11
C2
79.137.202.18:45218
Attributes
-
auth_value
107e09eee63158d2488feb03dac75204
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Deletes itself 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cdbfa30b86f34fb01e03870471ab66f4cf800086278daa3a0df94179ada3bfb.exe"C:\Users\Admin\AppData\Local\Temp\8cdbfa30b86f34fb01e03870471ab66f4cf800086278daa3a0df94179ada3bfb.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CA69.exeC:\Users\Admin\AppData\Local\Temp\CA69.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\D130.exeC:\Users\Admin\AppData\Local\Temp\D130.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 2402⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CA69.exeFilesize
67KB
MD5666d8f33d37064fd5d14e2166c9bfa69
SHA13b27df9335a9b2efe9da1057e9f8312a72d1ca9d
SHA2567fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157
SHA512ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df
-
C:\Users\Admin\AppData\Local\Temp\CA69.exeFilesize
67KB
MD5666d8f33d37064fd5d14e2166c9bfa69
SHA13b27df9335a9b2efe9da1057e9f8312a72d1ca9d
SHA2567fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157
SHA512ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df
-
C:\Users\Admin\AppData\Local\Temp\D130.exeFilesize
403KB
MD585096ded58b9163ddc21460fbc98632e
SHA1aa24d8a0180423a9ee9a5c79f3f6d245cc8b3298
SHA25669a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc
SHA512c4f2977f4787e8f7c38e81fda6808c8b7983d8d5c6e803a21414a90488bb8ced00ce9dbeae57a922afac01720448da0733aef956809b831b059b097cfd49e3a8
-
C:\Users\Admin\AppData\Local\Temp\D130.exeFilesize
403KB
MD585096ded58b9163ddc21460fbc98632e
SHA1aa24d8a0180423a9ee9a5c79f3f6d245cc8b3298
SHA25669a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc
SHA512c4f2977f4787e8f7c38e81fda6808c8b7983d8d5c6e803a21414a90488bb8ced00ce9dbeae57a922afac01720448da0733aef956809b831b059b097cfd49e3a8
-
memory/688-398-0x0000000000000000-mapping.dmp
-
memory/688-1032-0x0000000002F50000-0x0000000002F55000-memory.dmpFilesize
20KB
-
memory/688-609-0x0000000002F40000-0x0000000002F49000-memory.dmpFilesize
36KB
-
memory/688-606-0x0000000002F50000-0x0000000002F55000-memory.dmpFilesize
20KB
-
memory/1528-169-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-173-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-160-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-159-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-158-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-299-0x0000000002AD0000-0x0000000002AF0000-memory.dmpFilesize
128KB
-
memory/1528-276-0x0000000005040000-0x00000000050A6000-memory.dmpFilesize
408KB
-
memory/1528-227-0x00000000007B0000-0x00000000007C6000-memory.dmpFilesize
88KB
-
memory/1528-190-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-187-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-157-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-185-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-181-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-183-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-179-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-155-0x0000000000000000-mapping.dmp
-
memory/1528-177-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-163-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-172-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-171-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-170-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-168-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-161-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-167-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-166-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-162-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/1528-164-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2220-439-0x0000000000000000-mapping.dmp
-
memory/2220-651-0x00000000005E0000-0x00000000005EB000-memory.dmpFilesize
44KB
-
memory/2220-1033-0x00000000005F0000-0x00000000005F6000-memory.dmpFilesize
24KB
-
memory/2220-650-0x00000000005F0000-0x00000000005F6000-memory.dmpFilesize
24KB
-
memory/2392-1007-0x0000000000B30000-0x0000000000B36000-memory.dmpFilesize
24KB
-
memory/2392-316-0x0000000000000000-mapping.dmp
-
memory/2392-362-0x0000000000B20000-0x0000000000B2C000-memory.dmpFilesize
48KB
-
memory/2392-359-0x0000000000B30000-0x0000000000B36000-memory.dmpFilesize
24KB
-
memory/2972-148-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-130-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-153-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2972-152-0x00000000006D0000-0x00000000006D9000-memory.dmpFilesize
36KB
-
memory/2972-151-0x000000000074A000-0x000000000075A000-memory.dmpFilesize
64KB
-
memory/2972-150-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-149-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-118-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-147-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-146-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-145-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-144-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-143-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-119-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-142-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-120-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-141-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-121-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-140-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-122-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-139-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-138-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-124-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-123-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-137-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-136-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-135-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-125-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-128-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-134-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-127-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-126-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-133-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-129-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-154-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2972-131-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/2972-132-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/3848-657-0x0000000009440000-0x00000000094D2000-memory.dmpFilesize
584KB
-
memory/3848-387-0x0000000009620000-0x0000000009C26000-memory.dmpFilesize
6.0MB
-
memory/3848-1010-0x000000000A760000-0x000000000A7B0000-memory.dmpFilesize
320KB
-
memory/3848-1009-0x000000000A6E0000-0x000000000A756000-memory.dmpFilesize
472KB
-
memory/3848-673-0x000000000AF00000-0x000000000B42C000-memory.dmpFilesize
5.2MB
-
memory/3848-204-0x000000000041B58A-mapping.dmp
-
memory/3848-671-0x000000000A800000-0x000000000A9C2000-memory.dmpFilesize
1.8MB
-
memory/3848-654-0x000000000A130000-0x000000000A62E000-memory.dmpFilesize
5.0MB
-
memory/3848-392-0x0000000009150000-0x000000000925A000-memory.dmpFilesize
1.0MB
-
memory/3848-191-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3848-399-0x0000000009080000-0x0000000009092000-memory.dmpFilesize
72KB
-
memory/3848-408-0x00000000090E0000-0x000000000911E000-memory.dmpFilesize
248KB
-
memory/3848-419-0x0000000009260000-0x00000000092AB000-memory.dmpFilesize
300KB
-
memory/3996-653-0x0000000000520000-0x000000000052B000-memory.dmpFilesize
44KB
-
memory/3996-652-0x0000000000530000-0x0000000000538000-memory.dmpFilesize
32KB
-
memory/3996-1034-0x0000000000530000-0x0000000000538000-memory.dmpFilesize
32KB
-
memory/3996-526-0x0000000000000000-mapping.dmp
-
memory/4148-178-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/4148-184-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/4148-176-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/4148-174-0x0000000000000000-mapping.dmp
-
memory/4148-186-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/4148-180-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/4148-182-0x0000000077220000-0x00000000773AE000-memory.dmpFilesize
1.6MB
-
memory/4276-233-0x0000000000000000-mapping.dmp
-
memory/4276-282-0x00000000007F0000-0x00000000007FF000-memory.dmpFilesize
60KB
-
memory/4276-672-0x0000000000A00000-0x0000000000A09000-memory.dmpFilesize
36KB
-
memory/4276-277-0x0000000000A00000-0x0000000000A09000-memory.dmpFilesize
36KB
-
memory/4692-414-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4692-1008-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/4692-189-0x0000000000000000-mapping.dmp
-
memory/4692-368-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/4776-603-0x00000000004E0000-0x0000000000507000-memory.dmpFilesize
156KB
-
memory/4776-555-0x0000000000510000-0x0000000000532000-memory.dmpFilesize
136KB
-
memory/4776-353-0x0000000000000000-mapping.dmp
-
memory/4860-279-0x0000000000000000-mapping.dmp
-
memory/4860-499-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/4860-457-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/5004-507-0x0000000000C10000-0x0000000000C1D000-memory.dmpFilesize
52KB
-
memory/5004-1022-0x0000000000C20000-0x0000000000C27000-memory.dmpFilesize
28KB
-
memory/5004-503-0x0000000000C20000-0x0000000000C27000-memory.dmpFilesize
28KB
-
memory/5004-483-0x0000000000000000-mapping.dmp