redline | 75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4

General

Target

75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
Size

207KB
MD5

29f9c469d2695d3d90204fd2f7226efd
SHA1

4ec4b5892bbeac6e37e8c609b54648bf40a123bb
SHA256

75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4
SHA512

b29421b982a1801ecb957c2868c9987c187979258f16e3493f2456e8ffaa0cee78da4129aba2b2e726351ba807ec813eaa5a375b36c24f2035a6eb0cd503f7cc
SSDEEP

3072:rDVjvYR+L4xC/yx9J2pJgZwl36OkjfWVEEcoTyYR:fCR+L4CMqBN6Ok6VeM9

Score

10^/10

redline smokeloader installs summ backdoor infostealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

C2

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

rc4.i32

Extracted

Family

redline

Botnet

installs

C2

162.55.189.218:26952

Attributes

auth_value
4bdfa4191a2826ff2af143a4691bab78

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

1268
Executes dropped EXE 2 IoCs

Processes:

D461.exe1C99.exe

pid process

1984 D461.exe
1612 1C99.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1268

pid	process
1984	D461.exe
1612	1C99.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

D461.exe1C99.exe

description	pid	process	target process
PID 1984 set thread context of 2808	1984	D461.exe	AppLaunch.exe
PID 1612 set thread context of 1856	1612	1C99.exe	vbc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe

pid	process
2408	75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
2408	75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1268

pid	process
1268

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe

pid	process
2408	75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exe

description pid process

Token: SeShutdownPrivilege 1268
Token: SeShutdownPrivilege 1268
Token: SeDebugPrivilege 1856 vbc.exe

description	pid	process
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeDebugPrivilege	1856	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

D461.exe1C99.exe

description	pid	process	target process
PID 1268 wrote to memory of 1984	1268		D461.exe
PID 1268 wrote to memory of 1984	1268		D461.exe
PID 1268 wrote to memory of 1984	1268		D461.exe
PID 1268 wrote to memory of 1984	1268		D461.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1984 wrote to memory of 2808	1984	D461.exe	AppLaunch.exe
PID 1268 wrote to memory of 1612	1268		1C99.exe
PID 1268 wrote to memory of 1612	1268		1C99.exe
PID 1268 wrote to memory of 1612	1268		1C99.exe
PID 1268 wrote to memory of 1612	1268		1C99.exe
PID 1612 wrote to memory of 1856	1612	1C99.exe	vbc.exe
PID 1612 wrote to memory of 1856	1612	1C99.exe	vbc.exe
PID 1612 wrote to memory of 1856	1612	1C99.exe	vbc.exe
PID 1612 wrote to memory of 1856	1612	1C99.exe	vbc.exe
PID 1612 wrote to memory of 1856	1612	1C99.exe	vbc.exe
PID 1612 wrote to memory of 1856	1612	1C99.exe	vbc.exe
PID 1268 wrote to memory of 1696	1268		explorer.exe
PID 1268 wrote to memory of 1696	1268		explorer.exe
PID 1268 wrote to memory of 1696	1268		explorer.exe
PID 1268 wrote to memory of 1696	1268		explorer.exe
PID 1268 wrote to memory of 1696	1268		explorer.exe
PID 1268 wrote to memory of 2508	1268		explorer.exe
PID 1268 wrote to memory of 2508	1268		explorer.exe
PID 1268 wrote to memory of 2508	1268		explorer.exe
PID 1268 wrote to memory of 2508	1268		explorer.exe
PID 1268 wrote to memory of 2216	1268		explorer.exe
PID 1268 wrote to memory of 2216	1268		explorer.exe
PID 1268 wrote to memory of 2216	1268		explorer.exe
PID 1268 wrote to memory of 2216	1268		explorer.exe
PID 1268 wrote to memory of 2216	1268		explorer.exe
PID 1268 wrote to memory of 2028	1268		explorer.exe
PID 1268 wrote to memory of 2028	1268		explorer.exe
PID 1268 wrote to memory of 2028	1268		explorer.exe
PID 1268 wrote to memory of 2028	1268		explorer.exe
PID 1268 wrote to memory of 2052	1268		explorer.exe
PID 1268 wrote to memory of 2052	1268		explorer.exe
PID 1268 wrote to memory of 2052	1268		explorer.exe
PID 1268 wrote to memory of 2052	1268		explorer.exe
PID 1268 wrote to memory of 2052	1268		explorer.exe
PID 1268 wrote to memory of 1092	1268		explorer.exe
PID 1268 wrote to memory of 1092	1268		explorer.exe
PID 1268 wrote to memory of 1092	1268		explorer.exe
PID 1268 wrote to memory of 1092	1268		explorer.exe
PID 1268 wrote to memory of 1092	1268		explorer.exe
PID 1268 wrote to memory of 1188	1268		explorer.exe
PID 1268 wrote to memory of 1188	1268		explorer.exe
PID 1268 wrote to memory of 1188	1268		explorer.exe
PID 1268 wrote to memory of 1188	1268		explorer.exe
PID 1268 wrote to memory of 1188	1268		explorer.exe
PID 1268 wrote to memory of 1796	1268		explorer.exe
PID 1268 wrote to memory of 1796	1268		explorer.exe
PID 1268 wrote to memory of 1796	1268		explorer.exe
PID 1268 wrote to memory of 1796	1268		explorer.exe
PID 1268 wrote to memory of 1776	1268		explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
"C:\Users\Admin\AppData\Local\Temp\75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2408

C:\Users\Admin\AppData\Local\Temp\D461.exe
C:\Users\Admin\AppData\Local\Temp\D461.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\1C99.exe
C:\Users\Admin\AppData\Local\Temp\1C99.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1696

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2508

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2216

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2028

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1092

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1188

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1796

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
32beebd6870d315a2fa10784a7e5746f

SHA1
fcdfc9874da83e1b98b087a622e77ff0e52497a0

SHA256
f7c696aa1b1cd8f4cfa713cc8c0d6fe0ab02788ca6fcd115fc20133a29e3fbd4

SHA512
e62aac89e1cda744da33d010bc77bafa4586a018bfaa2fe77ac72d3bc7898b730d3d60336b504abe46d43808b8c27d99808ef8a393919274ddc7690fa7594c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C99.exe
Filesize
1.6MB

MD5
d57accb7d374c8489a3cde9533043084

SHA1
d627a1b90e3a1440838a0a7703c25328ad2db210

SHA256
e54b359e1dd5757218f6ab704f705f99e52363f755df843b680850b7e513b0ca

SHA512
7433d210ace1929e79cf4e3873246aef729b172bfeb74ee744813965533b1cf24ff288c6e6d2c75195365861d0ca149b5bccb9d48cb395b9eafe4d3d53557d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC3BE.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D461.exe
Filesize
380KB

MD5
80c339b9cfb70abfcb04639c45ed43cd

SHA1
8528245af0095d13719df2d074783e7e3e3b7b9c

SHA256
75dd991971cab83f49b214ca6e3dca575395db63514e334f8b0065478af6f077

SHA512
4a54f03886aed7af2ff71e7f36e9193194c11ebf1d924922bdb8d5a0b70a73d001db3c263dbb193c188c6fe52070435da2771a6ecdba8310b40f7a5ef7f80c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D461.exe
Filesize
380KB

MD5
80c339b9cfb70abfcb04639c45ed43cd

SHA1
8528245af0095d13719df2d074783e7e3e3b7b9c

SHA256
75dd991971cab83f49b214ca6e3dca575395db63514e334f8b0065478af6f077

SHA512
4a54f03886aed7af2ff71e7f36e9193194c11ebf1d924922bdb8d5a0b70a73d001db3c263dbb193c188c6fe52070435da2771a6ecdba8310b40f7a5ef7f80c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC557.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/1092-152-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1092-166-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1092-153-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1092-151-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1188-157-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1188-155-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1188-156-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/1188-167-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/1268-4-0x0000000002B60000-0x0000000002B76000-memory.dmp

Filesize
88KB

Download
memory/1612-128-0x0000000000EC0000-0x000000000105B000-memory.dmp

Filesize
1.6MB

Download
memory/1612-119-0x0000000000EC0000-0x000000000105B000-memory.dmp

Filesize
1.6MB

Download
memory/1696-150-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1696-134-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1696-135-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1696-146-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1696-136-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1776-169-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/1776-163-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1776-162-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/1776-161-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1796-168-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/1796-159-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/1796-160-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1856-121-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1856-127-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1856-130-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-131-0x00000000071F0000-0x0000000007230000-memory.dmp

Filesize
256KB

Download
memory/1856-132-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-129-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1856-125-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1856-120-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2028-145-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/2028-143-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download
memory/2028-164-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/2052-165-0x00000000000B0000-0x00000000000D2000-memory.dmp

Filesize
136KB

Download
memory/2052-149-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/2052-148-0x00000000000B0000-0x00000000000D2000-memory.dmp

Filesize
136KB

Download
memory/2052-147-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/2216-158-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2216-140-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2216-141-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2216-142-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2408-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2408-5-0x0000000000400000-0x0000000001399000-memory.dmp

Filesize
15.6MB

Download
memory/2408-2-0x0000000000400000-0x0000000001399000-memory.dmp

Filesize
15.6MB

Download
memory/2408-3-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2508-154-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/2508-139-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/2508-137-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/2808-105-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-104-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-103-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-107-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-109-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-114-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2808-113-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-99-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-110-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-100-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-101-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-112-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2808-111-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads