redline | 8b978cea455f253e274933089679a398069a42108e037cb3f930f168fb89c3cb

Analysis

max time kernel
53s
max time network
69s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
10-12-2023 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Size

37KB
MD5

0b5ab18b1fb6b220e32a614dfb5b4de2
SHA1

42b2d5dcf34395173b96899113d42080f0053643
SHA256

8b978cea455f253e274933089679a398069a42108e037cb3f930f168fb89c3cb
SHA512

999bcc43833f18abf11804bec0acc419a03dbce7ebc3900dfd3cdb5fe8e66af5baa71f8961c13d7a38162e73206ae245d3eb2ef6eb24d1b17de001f6b6324bf7
SSDEEP

768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Score

10^/10

redline smokeloader @oleh_ps livetraffic up3 backdoor infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://81.19.131.34/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

77.105.132.87:6731

Extracted

Family

redline

Botnet

@oleh_ps

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2612-12-0x0000000000160000-0x000000000019C000-memory.dmp	family_redline
behavioral1/files/0x00080000000155fd-44.dat	family_redline
behavioral1/memory/1936-46-0x00000000001C0000-0x00000000001FC000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1340	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
2612	E6F5.exe
780	5C83.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b5ab18b1fb6b220e32a614dfb5b4de2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
1600	0b5ab18b1fb6b220e32a614dfb5b4de2.exe
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found
1340	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1600	0b5ab18b1fb6b220e32a614dfb5b4de2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1340	Process not Found
Token: SeShutdownPrivilege	1340	Process not Found
Token: SeShutdownPrivilege	1340	Process not Found
Token: SeDebugPrivilege	2612	E6F5.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2612	1340	Process not Found	28
PID 1340 wrote to memory of 2612	1340	Process not Found	28
PID 1340 wrote to memory of 2612	1340	Process not Found	28
PID 1340 wrote to memory of 2612	1340	Process not Found	28
PID 1340 wrote to memory of 780	1340	Process not Found	32
PID 1340 wrote to memory of 780	1340	Process not Found	32
PID 1340 wrote to memory of 780	1340	Process not Found	32
PID 1340 wrote to memory of 780	1340	Process not Found	32

C:\Users\Admin\AppData\Local\Temp\0b5ab18b1fb6b220e32a614dfb5b4de2.exe
"C:\Users\Admin\AppData\Local\Temp\0b5ab18b1fb6b220e32a614dfb5b4de2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1600

C:\Users\Admin\AppData\Local\Temp\E6F5.exe
C:\Users\Admin\AppData\Local\Temp\E6F5.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Users\Admin\AppData\Local\Temp\5C83.exe
C:\Users\Admin\AppData\Local\Temp\5C83.exe
1⤵
- Executes dropped EXE
PID:780
- C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
  2⤵
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:436
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:2012
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\tuc3.exe
  "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\is-G68OT.tmp\tuc3.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-G68OT.tmp\tuc3.tmp" /SL5="$C0154,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
    3⤵
    PID:2820
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:2000

C:\Users\Admin\AppData\Local\Temp\62F9.exe
C:\Users\Admin\AppData\Local\Temp\62F9.exe
1⤵
PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:732

C:\Users\Admin\AppData\Local\Temp\64AF.exe
C:\Users\Admin\AppData\Local\Temp\64AF.exe
1⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\8395.exe
C:\Users\Admin\AppData\Local\Temp\8395.exe
1⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\8F78.exe
C:\Users\Admin\AppData\Local\Temp\8F78.exe
1⤵
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5C83.exe

Filesize
7.4MB

MD5
64ffaff7a0564aa34f926f00deea4092

SHA1
b6d6d6e3e62c53227bb2b4e9e2615ffd2d0bc3b0

SHA256
199a8406815d252ae60b9da37872d3dae91a8ccdd405dd1d03c99e5836a822f2

SHA512
d8de2f68c983a6912f0a03fb30723f11b10c5f668b3e8eae14206c04708299328466447a1eea7ac6da25104208be75252f8f16946348f0db3da119b40e184034

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C83.exe

Filesize
13.4MB

MD5
0640f04636283bc249369c9984352219

SHA1
4b0c2a1327429bd953c2317cc7f709f5bd3a6fab

SHA256
5680ef566b5306d28c0d305663d0db5656878777870e8907ad26e030d2d2191e

SHA512
11c97e506dd0bc5fbe5ef6089f7fb9820c9ea413eb904621dea5a1c2abcfc09bc1e9e517cd711e39d86f30e6853d4d335698dd376c83c7071dfc96df065f1ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\62F9.exe

Filesize
279KB

MD5
0de1d0372e15bbfeded7fb418e8c00ae

SHA1
6d0dc8617e5bcdd48dd5b45d8f40b97e4bbce0a1

SHA256
98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502

SHA512
7b3f2d2cc3fce6707be938053fd94a8a5edb48f7dad787847bd362329b6f07657fd7f66ab1f5c5d78db12aa7a41717ea3c7cbe8a1706d2456d1c42e9b1fb4e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\64AF.exe

Filesize
219KB

MD5
91d23595c11c7ee4424b6267aabf3600

SHA1
ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

SHA256
d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

SHA512
cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8395.exe

Filesize
3.4MB

MD5
8d09350c3131abdf2fa43416ddcb3d3f

SHA1
f4b1a541aa842b1fda73d4ad9584da9582325bb4

SHA256
c1a5a57d0a5fd8fdf99961338c03d8d034fd2e42a0cc6ec4c72af17c415cf89f

SHA512
f32b0ba0f49222100f8f594ff4c752004538c23e299408509e3a96ac1f36977aaed020a385f2085f061df40b8148bce9619d4c31d63eb34ecc992873432cbb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6F5.exe

Filesize
401KB

MD5
f88edad62a7789c2c5d8047133da5fa7

SHA1
41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

SHA256
eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

SHA512
e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
2.2MB

MD5
ca79c57d43a74daae47f94e545e84662

SHA1
9d443978e2a178a671f77650c10ce4b33e58dd0c

SHA256
6f9d8cbd1d66130ba4e2d654a2bbadcccd5190dcce9d8ef9476274c9951fb323

SHA512
f0a8475e64784cb5a197b81a1d62c91c7af6515377fbc396f632c5da7c2e3af38f1ddd82ddbfbd6a58248f987ac17d6a7c9b8414dbd644064b0c349d76501d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
291KB

MD5
cde750f39f58f1ec80ef41ce2f4f1db9

SHA1
942ea40349b0e5af7583fd34f4d913398a9c3b96

SHA256
0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

SHA512
c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
6.6MB

MD5
7949c0454952c796e7c8809c753559aa

SHA1
5e6fd39e253b1308355541b2dadf39b6fc58a8df

SHA256
0d98ce0a818987a134b86bb17dd8858d23b5e4800856cc233ddd53255502199b

SHA512
a2260f0af390aa572cb013f3ae0bcee50e527212bf904f2e94fa34446242d387d0555296c0e490dc0cd4106f04b108b859cd6a7b5b51438e9d2723e8dcb51461

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
6.5MB

MD5
f31e487943e88471c50a45f98cf3ba36

SHA1
093eec02722af94b433aa01f431273fb5f5e8b9f

SHA256
892f9a7e4036bc3e6860c66366874f718b0b7d746763445043b08402d01527a5

SHA512
0625967c6933522ca4b65953defd9bcc2338755556f1a20be0463e0497fed00fc57f5d99b599d7bab74f6cf2c75275f231a4f83268b25e1d88b0f0231f9f80c5

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
f81be07058935d224ab3843bff94fec0

SHA1
1a7360901f8cb5017f7a41ca1a6984227b712b16

SHA256
8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c

SHA512
342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e

Download Submit
\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
4.6MB

MD5
3238f20f0c13941f90a15efa34deb7de

SHA1
e2df2dc9c062f3250196586c073773f9c0df6e9a

SHA256
8af289f695e0aba3bd55bc14afe41f5e7fca88298042fbb9c12839412e93685d

SHA512
df19aebeb724be22f453d19c18554990c62c31a79944de1a8bb1e75fb4dc01bb6085afc23fbe6f81a3a232b605d48e1fc2e8677656980287ebf1dc6f7e297cd0

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
2.3MB

MD5
77471d919a5e2151fb49f37c315af514

SHA1
0687047ed80aa348bdc1657731f21181995b654c

SHA256
52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1

SHA512
6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

Download Submit
\Users\Admin\AppData\Local\Temp\is-DPV0K.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-DPV0K.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-DPV0K.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-G68OT.tmp\tuc3.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
1.4MB

MD5
44723bfa045a39954d74b08ed1cd900a

SHA1
0d55114212097cc1f8e3c3fcb116567ab29bd458

SHA256
3af7e0f26aac0c1613bafe6d6e1bfc8cc8da95d11e9b92ed76682cd8b7804c63

SHA512
fb64750979727ddf3af53df23e135116a6cb491981cde9d054894da25628b4b437f2d52a61fd6f27ce5a3eeb107507dd4984cb35ca9f37edb6d82a45813672a6

Download Submit
\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
6.7MB

MD5
54f55ac9adbcda91fdbe8a6fdd4f91e9

SHA1
b5a7be6dadc3d471b2b2d9fae88d14c9ff76962e

SHA256
a87b471a0968b4e803a2a5dbe681325f6da4fccb60522fe2c719bc1fda192898

SHA512
583b91d12590cdc6b207c0801608ba22525f7b55eeb17c9bf6ec9da9fbc668bab606f6b5ce2ada7005035ca629a3f11d3adf25ca568b676e0896bc872231bae4

Download Submit
memory/436-129-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/780-133-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/780-26-0x0000000000120000-0x00000000015D6000-memory.dmp

Filesize
20.7MB

Download
memory/780-25-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1340-1-0x00000000026B0000-0x00000000026C6000-memory.dmp

Filesize
88KB

Download
memory/1436-125-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1436-123-0x0000000000992000-0x00000000009A5000-memory.dmp

Filesize
76KB

Download
memory/1600-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1600-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1936-45-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1936-57-0x0000000000550000-0x0000000000590000-memory.dmp

Filesize
256KB

Download
memory/1936-46-0x00000000001C0000-0x00000000001FC000-memory.dmp

Filesize
240KB

Download
memory/1952-78-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1952-75-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2012-124-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2012-121-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2012-119-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2228-134-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/2612-12-0x0000000000160000-0x000000000019C000-memory.dmp

Filesize
240KB

Download
memory/2612-17-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-18-0x0000000007580000-0x00000000075C0000-memory.dmp

Filesize
256KB

Download
memory/2612-38-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-109-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download