redline | d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56

General

Target

d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe
Size

233KB
MD5

a8427cd641063f710feeb5434267d8cf
SHA1

5ee55c6ee1f2d4e779e0043a84cdec06bc6f2259
SHA256

d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56
SHA512

353734315aa92f1b8c19bfb47fe9053d4449ad88ac17996774ca3d9a8197172822a3e359c4dd4dfbe91767cdc3096eb8adfecdcb3a655650e9c8f5a290be34b1
SSDEEP

3072:zlTqaLVex5HIsI9n44+MHfjOWUvnoht71gRzf2QjvOmlS1g/tK8g38xWA4LrcSb1:JLMBWhHqEt71gbJtK8iCqbIr

Score

10^/10

redline smokeloader 11 backdoor infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes

auth_value
107e09eee63158d2488feb03dac75204

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1484-133-0x00000000005F0000-0x00000000005F9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

3393.exe3A1C.exe

pid process

4200 3393.exe
4580 3A1C.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

3A1C.exe

description pid process target process

PID 4580 set thread context of 1428 4580 3A1C.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1320 4580 WerFault.exe 3A1C.exe

pid	process
4200	3393.exe
4580	3A1C.exe

description	pid	process	target process
PID 4580 set thread context of 1428	4580	3A1C.exe	vbc.exe

pid	pid_target	process	target process
1320	4580	WerFault.exe	3A1C.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe

pid	process
1484	d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe
1484	d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2980

pid	process
2980

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe

pid	process
1484	d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980
2980

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeShutdownPrivilege	2980
Token: SeCreatePagefilePrivilege	2980
Token: SeShutdownPrivilege	2980
Token: SeCreatePagefilePrivilege	2980
Token: SeShutdownPrivilege	2980
Token: SeCreatePagefilePrivilege	2980
Token: SeShutdownPrivilege	2980
Token: SeCreatePagefilePrivilege	2980
Token: SeShutdownPrivilege	2980
Token: SeCreatePagefilePrivilege	2980
Token: SeDebugPrivilege	1428	vbc.exe
Token: SeShutdownPrivilege	2980
Token: SeCreatePagefilePrivilege	2980

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

3A1C.exe3393.exe

description	pid	process	target process
PID 2980 wrote to memory of 4200	2980		3393.exe
PID 2980 wrote to memory of 4200	2980		3393.exe
PID 2980 wrote to memory of 4200	2980		3393.exe
PID 2980 wrote to memory of 4580	2980		3A1C.exe
PID 2980 wrote to memory of 4580	2980		3A1C.exe
PID 2980 wrote to memory of 4580	2980		3A1C.exe
PID 2980 wrote to memory of 116	2980		explorer.exe
PID 2980 wrote to memory of 116	2980		explorer.exe
PID 2980 wrote to memory of 116	2980		explorer.exe
PID 2980 wrote to memory of 116	2980		explorer.exe
PID 4580 wrote to memory of 1428	4580	3A1C.exe	vbc.exe
PID 4580 wrote to memory of 1428	4580	3A1C.exe	vbc.exe
PID 4580 wrote to memory of 1428	4580	3A1C.exe	vbc.exe
PID 4580 wrote to memory of 1428	4580	3A1C.exe	vbc.exe
PID 4580 wrote to memory of 1428	4580	3A1C.exe	vbc.exe
PID 2980 wrote to memory of 5036	2980		explorer.exe
PID 2980 wrote to memory of 5036	2980		explorer.exe
PID 2980 wrote to memory of 5036	2980		explorer.exe
PID 4200 wrote to memory of 1644	4200	3393.exe	vbc.exe
PID 4200 wrote to memory of 1644	4200	3393.exe	vbc.exe
PID 4200 wrote to memory of 1644	4200	3393.exe	vbc.exe
PID 4200 wrote to memory of 4192	4200	3393.exe	vbc.exe
PID 2980 wrote to memory of 3176	2980		explorer.exe
PID 4200 wrote to memory of 4192	4200	3393.exe	vbc.exe
PID 2980 wrote to memory of 3176	2980		explorer.exe
PID 4200 wrote to memory of 4192	4200	3393.exe	vbc.exe
PID 2980 wrote to memory of 3176	2980		explorer.exe
PID 2980 wrote to memory of 3176	2980		explorer.exe
PID 4200 wrote to memory of 4328	4200	3393.exe	vbc.exe
PID 4200 wrote to memory of 4328	4200	3393.exe	vbc.exe
PID 4200 wrote to memory of 4328	4200	3393.exe	vbc.exe
PID 4200 wrote to memory of 1784	4200	3393.exe	vbc.exe
PID 4200 wrote to memory of 1784	4200	3393.exe	vbc.exe
PID 4200 wrote to memory of 1784	4200	3393.exe	vbc.exe
PID 2980 wrote to memory of 1200	2980		explorer.exe
PID 2980 wrote to memory of 1200	2980		explorer.exe
PID 2980 wrote to memory of 1200	2980		explorer.exe
PID 2980 wrote to memory of 3688	2980		explorer.exe
PID 2980 wrote to memory of 3688	2980		explorer.exe
PID 2980 wrote to memory of 3688	2980		explorer.exe
PID 2980 wrote to memory of 3688	2980		explorer.exe
PID 2980 wrote to memory of 2104	2980		explorer.exe
PID 2980 wrote to memory of 2104	2980		explorer.exe
PID 2980 wrote to memory of 2104	2980		explorer.exe
PID 2980 wrote to memory of 2104	2980		explorer.exe
PID 2980 wrote to memory of 64	2980		explorer.exe
PID 2980 wrote to memory of 64	2980		explorer.exe
PID 2980 wrote to memory of 64	2980		explorer.exe
PID 2980 wrote to memory of 64	2980		explorer.exe
PID 2980 wrote to memory of 3612	2980		explorer.exe
PID 2980 wrote to memory of 3612	2980		explorer.exe
PID 2980 wrote to memory of 3612	2980		explorer.exe
PID 2980 wrote to memory of 4620	2980		explorer.exe
PID 2980 wrote to memory of 4620	2980		explorer.exe
PID 2980 wrote to memory of 4620	2980		explorer.exe
PID 2980 wrote to memory of 4620	2980		explorer.exe

C:\Users\Admin\AppData\Local\Temp\d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe
"C:\Users\Admin\AppData\Local\Temp\d15d96837bf10c0103281e9372d8c4aed44088ce396692fca804216301201b56.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1484

C:\Users\Admin\AppData\Local\Temp\3393.exe
C:\Users\Admin\AppData\Local\Temp\3393.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\3A1C.exe
C:\Users\Admin\AppData\Local\Temp\3A1C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 148
2⤵
- Program crash
PID:1320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4580 -ip 4580
1⤵
PID:800

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5036

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3176

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1200

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3688

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:64

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3612

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3393.exe
Filesize
67KB

MD5
666d8f33d37064fd5d14e2166c9bfa69

SHA1
3b27df9335a9b2efe9da1057e9f8312a72d1ca9d

SHA256
7fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157

SHA512
ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df

Download Submit
C:\Users\Admin\AppData\Local\Temp\3393.exe
Filesize
67KB

MD5
666d8f33d37064fd5d14e2166c9bfa69

SHA1
3b27df9335a9b2efe9da1057e9f8312a72d1ca9d

SHA256
7fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157

SHA512
ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A1C.exe
Filesize
403KB

MD5
9997129d3e41ae79381957203470b051

SHA1
96dedfa4c05585d8d957a80a6dc816424fc60308

SHA256
d5ee046c945c2742f492c96a01eed8a4d92c3cc3f7d1d3c45c12e9162ec08255

SHA512
2e1664c8bab30869775ef59a53cc29ae418866a4974ce9a8014b0918694eb10bdd7d76646156d6b731057e897846d8f70c86f0fe4581d72117a4d08a4e61788b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A1C.exe
Filesize
403KB

MD5
9997129d3e41ae79381957203470b051

SHA1
96dedfa4c05585d8d957a80a6dc816424fc60308

SHA256
d5ee046c945c2742f492c96a01eed8a4d92c3cc3f7d1d3c45c12e9162ec08255

SHA512
2e1664c8bab30869775ef59a53cc29ae418866a4974ce9a8014b0918694eb10bdd7d76646156d6b731057e897846d8f70c86f0fe4581d72117a4d08a4e61788b

Download Submit
memory/64-178-0x0000000000650000-0x000000000065B000-memory.dmp

Filesize
44KB

Download
memory/64-176-0x0000000000000000-mapping.dmp

Download
memory/64-195-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/64-177-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/116-151-0x0000000000990000-0x0000000000997000-memory.dmp

Filesize
28KB

Download
memory/116-144-0x0000000000000000-mapping.dmp

Download
memory/116-153-0x0000000000980000-0x000000000098B000-memory.dmp

Filesize
44KB

Download
memory/1200-169-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/1200-192-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/1200-168-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/1200-167-0x0000000000000000-mapping.dmp

Download
memory/1428-190-0x0000000006DB0000-0x00000000072DC000-memory.dmp

Filesize
5.2MB

Download
memory/1428-189-0x00000000066B0000-0x0000000006872000-memory.dmp

Filesize
1.8MB

Download
memory/1428-146-0x00000000001B0000-0x00000000001E2000-memory.dmp

Filesize
200KB

Download
memory/1428-188-0x0000000005CA0000-0x0000000005CF0000-memory.dmp

Filesize
320KB

Download
memory/1428-156-0x0000000005260000-0x0000000005878000-memory.dmp

Filesize
6.1MB

Download
memory/1428-187-0x0000000005C20000-0x0000000005C96000-memory.dmp

Filesize
472KB

Download
memory/1428-145-0x0000000000000000-mapping.dmp

Download
memory/1428-186-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/1428-185-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/1428-158-0x0000000004D50000-0x0000000004E5A000-memory.dmp

Filesize
1.0MB

Download
memory/1428-164-0x0000000004C80000-0x0000000004CBC000-memory.dmp

Filesize
240KB

Download
memory/1428-163-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1484-132-0x000000000065E000-0x000000000066E000-memory.dmp

Filesize
64KB

Download
memory/1484-133-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/1484-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1484-135-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1644-157-0x0000000000000000-mapping.dmp

Download
memory/1784-162-0x0000000000000000-mapping.dmp

Download
memory/2104-173-0x0000000000000000-mapping.dmp

Download
memory/2104-194-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/2104-175-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download
memory/2104-174-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download
memory/3176-165-0x0000000000610000-0x0000000000615000-memory.dmp

Filesize
20KB

Download
memory/3176-166-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/3176-191-0x0000000000610000-0x0000000000615000-memory.dmp

Filesize
20KB

Download
memory/3176-159-0x0000000000000000-mapping.dmp

Download
memory/3612-180-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/3612-179-0x0000000000000000-mapping.dmp

Download
memory/3612-181-0x00000000001B0000-0x00000000001BD000-memory.dmp

Filesize
52KB

Download
memory/3612-196-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/3688-170-0x0000000000000000-mapping.dmp

Download
memory/3688-172-0x0000000000960000-0x0000000000987000-memory.dmp

Filesize
156KB

Download
memory/3688-193-0x0000000000990000-0x00000000009B2000-memory.dmp

Filesize
136KB

Download
memory/3688-171-0x0000000000990000-0x00000000009B2000-memory.dmp

Filesize
136KB

Download
memory/4192-160-0x0000000000000000-mapping.dmp

Download
memory/4200-136-0x0000000000000000-mapping.dmp

Download
memory/4200-139-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/4200-142-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/4328-161-0x0000000000000000-mapping.dmp

Download
memory/4580-140-0x0000000000000000-mapping.dmp

Download
memory/4620-183-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/4620-184-0x00000000009D0000-0x00000000009DB000-memory.dmp

Filesize
44KB

Download
memory/4620-182-0x0000000000000000-mapping.dmp

Download
memory/4620-197-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/5036-152-0x0000000000000000-mapping.dmp

Download
memory/5036-154-0x0000000000190000-0x0000000000199000-memory.dmp

Filesize
36KB

Download
memory/5036-155-0x0000000000180000-0x000000000018F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads