redline | 3f428f05c1b7bb9e2d893d7c196eefec5e6cff1d1c1b761fea5ccec17e1bab3c

Analysis

max time kernel
151s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2023 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smokeloader/cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
Size

216KB
MD5

7e9e7194490b4508e85827a6eddbbf50
SHA1

8c39812d7ff46b9d3a8d24e8637df8c173ca27aa
SHA256

cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0
SHA512

2e6da9d8fb9c26b3ed5bb5a528e40a595ed7942372b7a986e1f842faaee54cbcb7017561756ae5abeff337d33cb0ca8940860bab401d6bff47d7afadcb837585
SSDEEP

3072:XqstoULxtY+fpzP9991sxpR8zRVg1miGKRJBwptUhJV6/SaR5:zPLJf5DsSzXg1dJB+tUhJVg/

Score

10^/10

redline smokeloader pub1 backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://perficut.at/tmp/

http://rutobacco.ru/tmp/

http://aingular.com/tmp /

http://piratia-life.ru/tmp/

rc4.i32

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 23 IoCs

Processes:

resource	yara_rule
behavioral6/memory/3528-165-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-166-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-168-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-173-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-176-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-178-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-180-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-182-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-184-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-186-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-188-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-190-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-192-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-194-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-196-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-198-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-200-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-202-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-204-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-206-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-208-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-210-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline
behavioral6/memory/3528-212-0x0000000004C50000-0x0000000004CA2000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

C2D8.exe

pid process

3528 C2D8.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2100 3528 WerFault.exe C2D8.exe

pid	process
3528	C2D8.exe

pid	pid_target	process	target process
2100	3528	WerFault.exe	C2D8.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe

pid	process
536	cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
536	cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3128
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe

pid process

536 cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe

pid	process
3128

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

C2D8.exe

description	pid	process
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeDebugPrivilege	3528	C2D8.exe
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3128
3128

pid	process
3128
3128

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 3128 wrote to memory of 3528	3128	C2D8.exe
PID 3128 wrote to memory of 3528	3128	C2D8.exe
PID 3128 wrote to memory of 3528	3128	C2D8.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\smokeloader\cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
"C:\Users\Admin\AppData\Local\Temp\smokeloader\cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:536

C:\Users\Admin\AppData\Local\Temp\C2D8.exe
C:\Users\Admin\AppData\Local\Temp\C2D8.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1284
2⤵
- Program crash
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3528 -ip 3528
1⤵
PID:4876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C2D8.exe
Filesize
362KB

MD5
e4c6a768403292b2ae0da84a47db8ba4

SHA1
f8b06d1256ab5adaea64666c7b27dba44852ac4f

SHA256
96c2be33de19295cf39f4a62afa004cfe106689e965d1d080c98e7619b593774

SHA512
002e066114c8a0df4ce9251c51a509e65f46432453656fead1b64e8e327980f6abf3a03022b9e7e1803f4bd10db27ac0cd55e57f42bec1bc9c5e0198e07eba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2D8.exe
Filesize
362KB

MD5
e4c6a768403292b2ae0da84a47db8ba4

SHA1
f8b06d1256ab5adaea64666c7b27dba44852ac4f

SHA256
96c2be33de19295cf39f4a62afa004cfe106689e965d1d080c98e7619b593774

SHA512
002e066114c8a0df4ce9251c51a509e65f46432453656fead1b64e8e327980f6abf3a03022b9e7e1803f4bd10db27ac0cd55e57f42bec1bc9c5e0198e07eba46

Download Submit
memory/536-134-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/536-136-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/3128-135-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/3128-139-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-140-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-141-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/3128-142-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-143-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-144-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-145-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-146-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-147-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-148-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-149-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-151-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-150-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-152-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-153-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-154-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-155-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/3128-993-0x0000000007DC0000-0x0000000007DC2000-memory.dmp

Filesize
8KB

Download
memory/3128-1010-0x0000000000C70000-0x0000000000C72000-memory.dmp

Filesize
8KB

Download
memory/3128-1011-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/3528-178-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-202-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-168-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-169-0x0000000001FE0000-0x0000000002042000-memory.dmp

Filesize
392KB

Download
memory/3528-171-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3528-173-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-174-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3528-172-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3528-176-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-165-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-180-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-182-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-184-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-186-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-188-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-190-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-192-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-194-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-196-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-198-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-200-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-166-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-204-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-206-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-208-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-210-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-212-0x0000000004C50000-0x0000000004CA2000-memory.dmp

Filesize
328KB

Download
memory/3528-959-0x0000000005310000-0x0000000005928000-memory.dmp

Filesize
6.1MB

Download
memory/3528-960-0x0000000004D20000-0x0000000004D32000-memory.dmp

Filesize
72KB

Download
memory/3528-961-0x0000000005930000-0x0000000005A3A000-memory.dmp

Filesize
1.0MB

Download
memory/3528-962-0x0000000005A40000-0x0000000005A7C000-memory.dmp

Filesize
240KB

Download
memory/3528-963-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3528-964-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/3528-965-0x0000000006CF0000-0x0000000006D82000-memory.dmp

Filesize
584KB

Download
memory/3528-966-0x0000000006EB0000-0x0000000006F26000-memory.dmp

Filesize
472KB

Download
memory/3528-967-0x0000000006F60000-0x0000000006F7E000-memory.dmp

Filesize
120KB

Download
memory/3528-968-0x0000000007010000-0x0000000007060000-memory.dmp

Filesize
320KB

Download
memory/3528-969-0x0000000007090000-0x0000000007252000-memory.dmp

Filesize
1.8MB

Download
memory/3528-970-0x0000000007260000-0x000000000778C000-memory.dmp

Filesize
5.2MB

Download
memory/3528-973-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3528-164-0x0000000004D60000-0x0000000005304000-memory.dmp

Filesize
5.6MB

Download
memory/3528-974-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3528-975-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download