redline | edbb77cc353bf39c1f0658e2711be30347245ab286e067d62578afa8135f9d2c

Analysis

max time kernel
44s
max time network
62s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
10-12-2023 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0006000000015c69-1466.exe
Size

37KB
MD5

70fe458368724ec513a918b628dc80a9
SHA1

ddb1cb2f62175134a941c9e80da4a883ba7e0bf2
SHA256

edbb77cc353bf39c1f0658e2711be30347245ab286e067d62578afa8135f9d2c
SHA512

b7c4522902d6aa6f5ee2740905ddfba5ed7842ad00a407d16a0936fbc3992029f7f7e0ab2d18fbe6c63f06bdd6f3a847a3b4ca058f1039c3c86d4744db28fcab
SSDEEP

768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Score

10^/10

redline smokeloader @oleh_ps livetraffic backdoor infostealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://81.19.131.34/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

77.105.132.87:6731

Extracted

Family

redline

Botnet

@oleh_ps

176.123.7.190:32927

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2648-12-0x0000000000080000-0x00000000000BC000-memory.dmp	family_redline
behavioral1/files/0x0008000000016da8-38.dat	family_redline
behavioral1/memory/572-41-0x0000000000010000-0x000000000004C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1212	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
2648	C294.exe
3008	1343.exe
2004	192E.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0006000000015c69-1466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0006000000015c69-1466.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0006000000015c69-1466.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	0x0006000000015c69-1466.exe
2220	0x0006000000015c69-1466.exe
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2220	0x0006000000015c69-1466.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1212	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2648	1212	Process not Found	28
PID 1212 wrote to memory of 2648	1212	Process not Found	28
PID 1212 wrote to memory of 2648	1212	Process not Found	28
PID 1212 wrote to memory of 2648	1212	Process not Found	28
PID 1212 wrote to memory of 3008	1212	Process not Found	31
PID 1212 wrote to memory of 3008	1212	Process not Found	31
PID 1212 wrote to memory of 3008	1212	Process not Found	31
PID 1212 wrote to memory of 3008	1212	Process not Found	31
PID 1212 wrote to memory of 2004	1212	Process not Found	32
PID 1212 wrote to memory of 2004	1212	Process not Found	32
PID 1212 wrote to memory of 2004	1212	Process not Found	32
PID 1212 wrote to memory of 2004	1212	Process not Found	32

C:\Users\Admin\AppData\Local\Temp\0x0006000000015c69-1466.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000015c69-1466.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220

C:\Users\Admin\AppData\Local\Temp\C294.exe
C:\Users\Admin\AppData\Local\Temp\C294.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Users\Admin\AppData\Local\Temp\1343.exe
C:\Users\Admin\AppData\Local\Temp\1343.exe
1⤵
- Executes dropped EXE
PID:3008
- C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
  2⤵
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:296
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\tuc3.exe
  "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\is-M45H6.tmp\tuc3.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-M45H6.tmp\tuc3.tmp" /SL5="$90156,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
    3⤵
    PID:1668
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:2940

C:\Users\Admin\AppData\Local\Temp\192E.exe
C:\Users\Admin\AppData\Local\Temp\192E.exe
1⤵
- Executes dropped EXE
PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1720

C:\Users\Admin\AppData\Local\Temp\1D15.exe
C:\Users\Admin\AppData\Local\Temp\1D15.exe
1⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\398B.exe
C:\Users\Admin\AppData\Local\Temp\398B.exe
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1343.exe

Filesize
20.7MB

MD5
d0c59443e41e1160209139841fa39c9f

SHA1
76be0077ce9dc5ef6756b8c202a6d5d94c759535

SHA256
de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c

SHA512
d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\192E.exe

Filesize
279KB

MD5
0de1d0372e15bbfeded7fb418e8c00ae

SHA1
6d0dc8617e5bcdd48dd5b45d8f40b97e4bbce0a1

SHA256
98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502

SHA512
7b3f2d2cc3fce6707be938053fd94a8a5edb48f7dad787847bd362329b6f07657fd7f66ab1f5c5d78db12aa7a41717ea3c7cbe8a1706d2456d1c42e9b1fb4e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D15.exe

Filesize
219KB

MD5
91d23595c11c7ee4424b6267aabf3600

SHA1
ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

SHA256
d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

SHA512
cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f81be07058935d224ab3843bff94fec0

SHA1
1a7360901f8cb5017f7a41ca1a6984227b712b16

SHA256
8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c

SHA512
342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\398B.exe

Filesize
4.3MB

MD5
5786e95d284ff9780db358c16c57d096

SHA1
614bf247daeda652fa472dc0c4f25c4205adc0d5

SHA256
4a958093259bb3c7667fb8d588b5e66144c5f617781db7196b8fe50c98e47038

SHA512
566fa870f5ec5af614be45ebe9a1cc11ff61490b336c7f9be541f48f4abdec64caa3c0ed73d673bb085aeb1339d43ed7c2d495bdb49a4e6ae8c51fd41193e1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\398B.exe

Filesize
4.2MB

MD5
af20e3cf9de3c0e7bb90ea8d7541de84

SHA1
05d358ec5e562b3c430876c51c781b7071a0c37d

SHA256
12038ec5762d869fd7c5505ef9ea831967e9e9ceb1471e9d462d9ef871e9e515

SHA512
cb4fb4127c8e48347b475dfd50cb6bf8a6db718b964479071549e8f80ef4c9a015bfd094a6f69ab09d1c78e86f625261206e02a6d1a40d224c6f9c6c9130f70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
1.9MB

MD5
d9b626726bbbb870a4ca03d7e324f5b7

SHA1
c05c4ac5cb2dbfc63915d6bd210ca1dc3b2dab22

SHA256
41ffee30479b27979cf44bbec2ece699b8b3de3d2a69288a52b3c694303fb413

SHA512
96e42170fd479c6dbdd197cb337f2866e2b215fae2a71b387c3cb25e6dc0f7128236b3c1f7a1d6efb0f439288a913774e0de117a276e4d2293e3ab2e03d22abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C294.exe

Filesize
401KB

MD5
f88edad62a7789c2c5d8047133da5fa7

SHA1
41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

SHA256
eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

SHA512
e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
1.9MB

MD5
9e104ccab12a0e14ba9841643b7fd64b

SHA1
368b5db95a3df522287fa63d228de25e7ad64070

SHA256
a4dc345e3f4fe8371943df9c300b1e3ec73b27d481475969503d271e236fa70a

SHA512
ecd731f7ea6aace394fbef78f50206a39b4ad8d356de992a319c06a2f5367db01877c24a5e2dbf1df32abb56c02126b3d38c03022e7c7dc84cf6efc6ee6d709a

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
291KB

MD5
cde750f39f58f1ec80ef41ce2f4f1db9

SHA1
942ea40349b0e5af7583fd34f4d913398a9c3b96

SHA256
0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

SHA512
c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
5.1MB

MD5
91a69dec48dc15b353555a79cef36575

SHA1
bf7e97ff33bcbb8cff8d00a1a5a4182ddeccd6ce

SHA256
30aa453cc00ee528fbf9672c18651a498efe6df2ad3d0e54e149876078dfc1dd

SHA512
442f772c3a294b59d04c3a3563071e6995c64e3641dac97c654fe277196914eeba7b020e1e5848dd458cd2744875d6112077e742851ffdaf20e8292c54f8aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
7.2MB

MD5
64addb02b252beb7bbbd7ca330fa9694

SHA1
ff7f51aea81d684adb24d49f6ddebfde70b6a496

SHA256
4343d05c37293f1bc0cba45d4bf2d392e6dff6806b54e01ce2f1ddf9bbe5ec06

SHA512
9486cf567685f49d47fe0199275824e9853c4f2f15347dc851a2c6dd75951ed73dfc9383f6dc844383ff62a88650a846dc7831dec272fb77c5f67d1b3d4b6aa1

Download Submit
\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
2.4MB

MD5
e0fae9aca15d92a81235ad086c50f121

SHA1
9fca1c97a0daa7661464109abf735334cbac9ca0

SHA256
a885b0e713d8d322a7b44a16147a41e81995c2252d945b0f72c2918f2145fa1f

SHA512
f05da7ff13b0f6b1292e38cd207b5a6547bc751c98f9634db23368186ab1f80359051497e90ffdf14a8d3cdeee2111ee9b7455b52525bee1e0cc1ddcf1ac9c4c

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
2.3MB

MD5
77471d919a5e2151fb49f37c315af514

SHA1
0687047ed80aa348bdc1657731f21181995b654c

SHA256
52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1

SHA512
6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

Download Submit
\Users\Admin\AppData\Local\Temp\is-M45H6.tmp\tuc3.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\is-TVCBG.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-TVCBG.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-TVCBG.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
2.0MB

MD5
197f558d600b37ed5a3a1f0f5d6ca9dd

SHA1
0018872599698537e2fbe00118bcc80c7fbe4b92

SHA256
e83a4a8e3c3529f8943de12dc2c087c3f5ba4fc92af37eaa5731e82b2f0c95ab

SHA512
fdbf1cf98f1d44e1b0330ea48575c41186a9ca86611bb173bb5e3d85049d38c561b4d35e840ff58560adeb9ce81abca9902d749b11af1929c948f1692f5ee9b7

Download Submit
\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
5.2MB

MD5
c2705eff238e3c94d4c62d69823aa4fe

SHA1
d2032a7669141c209e70f41348225288cc62cc78

SHA256
dcf831cde4970dff2b51c622d86829ccf3cc94196825a5404a645ba4a12e5b4e

SHA512
abb0cbb417cd0c0930bcce2029ce7190142e374ddefb125a48f2a151ed330969c8ef1266ca2948e2fe7d48a73c4df8ad8b879b9aded75b5c35e85f49b3a0db79

Download Submit
memory/572-41-0x0000000000010000-0x000000000004C000-memory.dmp

Filesize
240KB

Download
memory/572-48-0x0000000006FA0000-0x0000000006FE0000-memory.dmp

Filesize
256KB

Download
memory/572-42-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/828-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/828-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1212-1-0x0000000002930000-0x0000000002946000-memory.dmp

Filesize
88KB

Download
memory/1624-85-0x0000000000F30000-0x00000000014E2000-memory.dmp

Filesize
5.7MB

Download
memory/1624-89-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/1624-91-0x0000000005410000-0x0000000005450000-memory.dmp

Filesize
256KB

Download
memory/1668-100-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1720-39-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2220-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2648-18-0x0000000007550000-0x0000000007590000-memory.dmp

Filesize
256KB

Download
memory/2648-17-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-12-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/3008-27-0x0000000000AC0000-0x0000000001F76000-memory.dmp

Filesize
20.7MB

Download
memory/3008-26-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/3008-122-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download