Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30/12/2022, 23:39
General
-
Target
ccd62f4da29c960c9ddc2ccaa3369c83c6b6dc2dd64cf8d5d0847b42fbd100bb.exe
-
Size
289KB
-
MD5
48c23b32a4a23b8da203a26508d6e8a5
-
SHA1
5ef5b6fe78fd9d626b1aa39c370ff4106fde52f6
-
SHA256
ccd62f4da29c960c9ddc2ccaa3369c83c6b6dc2dd64cf8d5d0847b42fbd100bb
-
SHA512
90414810d573a9ffd4426e0cd06ef8b268467c39f64b04ddc68c3173fb0fdbf40b3f5c8dc6905abdbc88b61a7612470e3ffeefcef2849af95f5cc31c188bec97
-
SSDEEP
3072:rd2WksHbLJ7JVXcREGezRPundVfdAb9zwt3xUWLXeCz+8U9SkEqwi:FD7LzVXBGeVSAb9Gy8eCy8UIkEq
Malware Config
Extracted
redline
Redline Bot
193.42.244.249:5514
-
auth_value
dba2cba3a65b70477f54eb1d91e5f886
Extracted
redline
pub2
89.22.231.25:45245
-
auth_value
ea9464d486a641bb513057e5f63399e1
Signatures
-
Detects Smokeloader packer 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccd62f4da29c960c9ddc2ccaa3369c83c6b6dc2dd64cf8d5d0847b42fbd100bb.exe"C:\Users\Admin\AppData\Local\Temp\ccd62f4da29c960c9ddc2ccaa3369c83c6b6dc2dd64cf8d5d0847b42fbd100bb.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2693.exeC:\Users\Admin\AppData\Local\Temp\2693.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2972.exeC:\Users\Admin\AppData\Local\Temp\2972.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\300B.exeC:\Users\Admin\AppData\Local\Temp\300B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1362⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\329C.exeC:\Users\Admin\AppData\Local\Temp\329C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 2562⤵
- Program crash
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1276 -ip 12761⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3380 -ip 33801⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD509f87ebf033076d4019bf0a9ee1eb2e9
SHA1b6f912c024056fd8b8353010f948dcbf3836e54a
SHA256e9328bdf85ab57bacc3b598afe0f3f5da4bab5fbe43f60a8e11df110ecbb949a
SHA512c7fd8c5b4a770a85c96da0b4dda5953398456f0d5ed9164b0d795835b338e6e5bb194dbfdde25372813e651730da3ccbd4eacd18f9a8524aa804209fb38d5618
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
278KB
MD5ffcb25b920df3bf357a12d6eabb0d491
SHA13cbf786a17db24ea91d26646d91ea4909e0cf455
SHA2561fe48238c1fe505741333ab50df52d474fab149444184fc8e16871c6075be8b2
SHA51214705e10f313df5012f4d0bc067583610afccf10c7e193f9d22de21aa0b4c9ca415ada1cd22f08b790de453eea4ac9ec14810b7efb5acf7f884b655a840fecba
-
Filesize
278KB
MD5ffcb25b920df3bf357a12d6eabb0d491
SHA13cbf786a17db24ea91d26646d91ea4909e0cf455
SHA2561fe48238c1fe505741333ab50df52d474fab149444184fc8e16871c6075be8b2
SHA51214705e10f313df5012f4d0bc067583610afccf10c7e193f9d22de21aa0b4c9ca415ada1cd22f08b790de453eea4ac9ec14810b7efb5acf7f884b655a840fecba
-
Filesize
278KB
MD57f2b9426653d6bcf225d0b43f7e94718
SHA1ce2fbbed00d26001f3d7de963bf5166956aa6e99
SHA256faaf18a19ebf2fedb29a84c7aad351a947d9c2b456f92cd7381075b384054857
SHA5120d0e8edb74ff33071bb7691f09b8351f3397c09f2383b3c077ab7c5f0a0263d96ac993b5d5cfd00bd3a0bdb8880e6170be33d0694f64924a9f02ef8db100ffd1
-
Filesize
278KB
MD57f2b9426653d6bcf225d0b43f7e94718
SHA1ce2fbbed00d26001f3d7de963bf5166956aa6e99
SHA256faaf18a19ebf2fedb29a84c7aad351a947d9c2b456f92cd7381075b384054857
SHA5120d0e8edb74ff33071bb7691f09b8351f3397c09f2383b3c077ab7c5f0a0263d96ac993b5d5cfd00bd3a0bdb8880e6170be33d0694f64924a9f02ef8db100ffd1
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
200KB
-
Filesize
72KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
68KB
-
Filesize
10.8MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
200KB
-
Filesize
240KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
10.8MB