Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-12-2022 20:40
General
-
Target
392de779e8aad944610da38650d4a70cea90b552639b66abd87d64a70df739fc.exe
-
Size
288KB
-
MD5
446bcd383aac5220a6f5d1ad3deaad30
-
SHA1
44c10410644922fdae49cf536ec4187081c05f82
-
SHA256
392de779e8aad944610da38650d4a70cea90b552639b66abd87d64a70df739fc
-
SHA512
f2ada3aa4bb6a0bc89e7393debad3701345c72f811279af52f256eee2164b47bbaf3641edc454312a39f52786e3ed87e5be4bb4b6194a810bd1e66ef10e9bc1b
-
SSDEEP
3072:LtoKf7G89LgSLV44RBWImOmquhSjKLhwz3PVfyLGsoEiL+8U9SkEqwi:fC2L3V4MWgrOhQ9fof8UIkEq
Malware Config
Extracted
redline
Redline Bot
193.42.244.249:5514
-
auth_value
dba2cba3a65b70477f54eb1d91e5f886
Extracted
redline
pub2
89.22.231.25:45245
-
auth_value
ea9464d486a641bb513057e5f63399e1
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\392de779e8aad944610da38650d4a70cea90b552639b66abd87d64a70df739fc.exe"C:\Users\Admin\AppData\Local\Temp\392de779e8aad944610da38650d4a70cea90b552639b66abd87d64a70df739fc.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4BAF.exeC:\Users\Admin\AppData\Local\Temp\4BAF.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4E02.exeC:\Users\Admin\AppData\Local\Temp\4E02.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5381.exeC:\Users\Admin\AppData\Local\Temp\5381.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 2402⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\55D4.exeC:\Users\Admin\AppData\Local\Temp\55D4.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 2402⤵
- Program crash
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2708 -ip 27081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5467e33722458ccc9dd774bee4132446a
SHA1787f5f211299ef097f3640d964711a42d5465280
SHA256af8285f93b2846eb221831e8dbf92fd72005e246af67f40035b12c4065685289
SHA512897f362ad8be6e1538f682ec94007406f0f74b1ce4ab264cc029b140b0d101ee8e825106f95d03d2e3ce77445038524579c18ffb51e2b6e1274efdbf2501c317
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
278KB
MD5ffcb25b920df3bf357a12d6eabb0d491
SHA13cbf786a17db24ea91d26646d91ea4909e0cf455
SHA2561fe48238c1fe505741333ab50df52d474fab149444184fc8e16871c6075be8b2
SHA51214705e10f313df5012f4d0bc067583610afccf10c7e193f9d22de21aa0b4c9ca415ada1cd22f08b790de453eea4ac9ec14810b7efb5acf7f884b655a840fecba
-
Filesize
278KB
MD5ffcb25b920df3bf357a12d6eabb0d491
SHA13cbf786a17db24ea91d26646d91ea4909e0cf455
SHA2561fe48238c1fe505741333ab50df52d474fab149444184fc8e16871c6075be8b2
SHA51214705e10f313df5012f4d0bc067583610afccf10c7e193f9d22de21aa0b4c9ca415ada1cd22f08b790de453eea4ac9ec14810b7efb5acf7f884b655a840fecba
-
Filesize
278KB
MD57f2b9426653d6bcf225d0b43f7e94718
SHA1ce2fbbed00d26001f3d7de963bf5166956aa6e99
SHA256faaf18a19ebf2fedb29a84c7aad351a947d9c2b456f92cd7381075b384054857
SHA5120d0e8edb74ff33071bb7691f09b8351f3397c09f2383b3c077ab7c5f0a0263d96ac993b5d5cfd00bd3a0bdb8880e6170be33d0694f64924a9f02ef8db100ffd1
-
Filesize
278KB
MD57f2b9426653d6bcf225d0b43f7e94718
SHA1ce2fbbed00d26001f3d7de963bf5166956aa6e99
SHA256faaf18a19ebf2fedb29a84c7aad351a947d9c2b456f92cd7381075b384054857
SHA5120d0e8edb74ff33071bb7691f09b8351f3397c09f2383b3c077ab7c5f0a0263d96ac993b5d5cfd00bd3a0bdb8880e6170be33d0694f64924a9f02ef8db100ffd1
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
10.8MB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
5.2MB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
200KB
-
Filesize
1.0MB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
6.1MB
-
Filesize
200KB
-
Filesize
240KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB