redline | 8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4

General

Target

8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe
Size

173KB
MD5

afd0ba85921f22baf6771b08c1f0b7b4
SHA1

9ac3587851f3b187b4de239aabf9831173949469
SHA256

8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4
SHA512

c0162eb418bac2dee40bebc32e5b68b500637cadccb9737c49b49bbc1286ab0744de95275a8a7ff9ad92f9bc5715156a69d7de93eb47934d1e7862dc12b66d45
SSDEEP

3072:x6rLUa5GZx4mZln4PnzpLYN7DG5pB7LKSOx/Pk9Dn:8LUDj4mUlLYN7DiXeS

Score

10^/10

redline smokeloader logsdiller cloud (sup: @mr_golds)backdoor infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

C2

77.73.134.27:8163

Attributes

auth_value
56c6f7b9024c076f0a96931453da7e56

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4884-133-0x00000000022C0000-0x00000000022C9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/102140-165-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/98264-200-0x0000000000140000-0x0000000000146000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

64F4.exe6766.exe

pid process

3564 64F4.exe
5168 6766.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

6766.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 6766.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

64F4.exe

description pid process target process

PID 3564 set thread context of 102140 3564 64F4.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3564	64F4.exe
5168	6766.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6766.exe

description	pid	process	target process
PID 3564 set thread context of 102140	3564	64F4.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe

pid	process
4884	8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe
4884	8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3060

pid	process
3060

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe

pid	process
4884	8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exeAppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeDebugPrivilege	102196	powershell.exe
Token: SeDebugPrivilege	102140	AppLaunch.exe
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

64F4.exe6766.exe

description	pid	process	target process
PID 3060 wrote to memory of 3564	3060		64F4.exe
PID 3060 wrote to memory of 3564	3060		64F4.exe
PID 3060 wrote to memory of 3564	3060		64F4.exe
PID 3060 wrote to memory of 5168	3060		6766.exe
PID 3060 wrote to memory of 5168	3060		6766.exe
PID 3060 wrote to memory of 5168	3060		6766.exe
PID 3060 wrote to memory of 9036	3060		explorer.exe
PID 3060 wrote to memory of 9036	3060		explorer.exe
PID 3060 wrote to memory of 9036	3060		explorer.exe
PID 3060 wrote to memory of 9036	3060		explorer.exe
PID 3060 wrote to memory of 20944	3060		explorer.exe
PID 3060 wrote to memory of 20944	3060		explorer.exe
PID 3060 wrote to memory of 20944	3060		explorer.exe
PID 3060 wrote to memory of 36724	3060		explorer.exe
PID 3060 wrote to memory of 36724	3060		explorer.exe
PID 3060 wrote to memory of 36724	3060		explorer.exe
PID 3060 wrote to memory of 36724	3060		explorer.exe
PID 3060 wrote to memory of 51740	3060		explorer.exe
PID 3060 wrote to memory of 51740	3060		explorer.exe
PID 3060 wrote to memory of 51740	3060		explorer.exe
PID 3060 wrote to memory of 66768	3060		explorer.exe
PID 3060 wrote to memory of 66768	3060		explorer.exe
PID 3060 wrote to memory of 66768	3060		explorer.exe
PID 3060 wrote to memory of 66768	3060		explorer.exe
PID 3060 wrote to memory of 82692	3060		explorer.exe
PID 3060 wrote to memory of 82692	3060		explorer.exe
PID 3060 wrote to memory of 82692	3060		explorer.exe
PID 3060 wrote to memory of 82692	3060		explorer.exe
PID 3060 wrote to memory of 98264	3060		explorer.exe
PID 3060 wrote to memory of 98264	3060		explorer.exe
PID 3060 wrote to memory of 98264	3060		explorer.exe
PID 3060 wrote to memory of 98264	3060		explorer.exe
PID 3564 wrote to memory of 102140	3564	64F4.exe	AppLaunch.exe
PID 3564 wrote to memory of 102140	3564	64F4.exe	AppLaunch.exe
PID 3564 wrote to memory of 102140	3564	64F4.exe	AppLaunch.exe
PID 3564 wrote to memory of 102140	3564	64F4.exe	AppLaunch.exe
PID 3564 wrote to memory of 102140	3564	64F4.exe	AppLaunch.exe
PID 5168 wrote to memory of 102196	5168	6766.exe	powershell.exe
PID 5168 wrote to memory of 102196	5168	6766.exe	powershell.exe
PID 5168 wrote to memory of 102196	5168	6766.exe	powershell.exe
PID 3060 wrote to memory of 102260	3060		explorer.exe
PID 3060 wrote to memory of 102260	3060		explorer.exe
PID 3060 wrote to memory of 102260	3060		explorer.exe
PID 3060 wrote to memory of 102344	3060		explorer.exe
PID 3060 wrote to memory of 102344	3060		explorer.exe
PID 3060 wrote to memory of 102344	3060		explorer.exe
PID 3060 wrote to memory of 102344	3060		explorer.exe

C:\Users\Admin\AppData\Local\Temp\8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe
"C:\Users\Admin\AppData\Local\Temp\8575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4884

C:\Users\Admin\AppData\Local\Temp\64F4.exe
C:\Users\Admin\AppData\Local\Temp\64F4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:102140

C:\Users\Admin\AppData\Local\Temp\6766.exe
C:\Users\Admin\AppData\Local\Temp\6766.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyADMA
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:102196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:20944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:36724

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:51740

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:66768

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:82692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:98264

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:102260

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:102344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64F4.exe
Filesize
2.6MB

MD5
0b9978d5b7c98f448f01a37add0d1cab

SHA1
7faccb84b6e5f026ae2c9a57c85f44ae17ae8cfa

SHA256
dc2879d1ea852d721808045d04e9c98dca28623ace248eb2efdd84701255cd68

SHA512
e24b09ee83b9a4a36ca5594f1c12e9015b7f9eeb103de1a6bbe82ad5d453282fe834d5d5190886df7e8814bccd8dca7ec4009965717b6b57716f0907d8298b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\64F4.exe
Filesize
2.6MB

MD5
0b9978d5b7c98f448f01a37add0d1cab

SHA1
7faccb84b6e5f026ae2c9a57c85f44ae17ae8cfa

SHA256
dc2879d1ea852d721808045d04e9c98dca28623ace248eb2efdd84701255cd68

SHA512
e24b09ee83b9a4a36ca5594f1c12e9015b7f9eeb103de1a6bbe82ad5d453282fe834d5d5190886df7e8814bccd8dca7ec4009965717b6b57716f0907d8298b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6766.exe
Filesize
1.1MB

MD5
137b9eea525bfc1e54784bb2f450b8b9

SHA1
e34f7a90d8f1994413184f819d23869e7bb273b1

SHA256
1b4b2a3aaa2f2c85b12f84e346b947230bbe6ae2af7883f2019549ba6c295d26

SHA512
3aeff673467741685ff1819dc5089a7088c12d9d16cc0f72507c1703c4f85639eb28801feeec8bf71a1d500938cb556db724e6f0e4d3876aea7517b6fcdccb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6766.exe
Filesize
1.1MB

MD5
137b9eea525bfc1e54784bb2f450b8b9

SHA1
e34f7a90d8f1994413184f819d23869e7bb273b1

SHA256
1b4b2a3aaa2f2c85b12f84e346b947230bbe6ae2af7883f2019549ba6c295d26

SHA512
3aeff673467741685ff1819dc5089a7088c12d9d16cc0f72507c1703c4f85639eb28801feeec8bf71a1d500938cb556db724e6f0e4d3876aea7517b6fcdccb8c

Download Submit
memory/3564-137-0x0000000000000000-mapping.dmp

Download
memory/4884-133-0x00000000022C0000-0x00000000022C9000-memory.dmp

Filesize
36KB

Download
memory/4884-134-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/4884-135-0x0000000000838000-0x0000000000849000-memory.dmp

Filesize
68KB

Download
memory/4884-136-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/4884-132-0x0000000000838000-0x0000000000849000-memory.dmp

Filesize
68KB

Download
memory/5168-140-0x0000000000000000-mapping.dmp

Download
memory/5168-144-0x0000000000EE0000-0x0000000001004000-memory.dmp

Filesize
1.1MB

Download
memory/5168-160-0x0000000008FE0000-0x0000000009002000-memory.dmp

Filesize
136KB

Download
memory/9036-143-0x0000000000000000-mapping.dmp

Download
memory/9036-146-0x0000000000DA0000-0x0000000000DA7000-memory.dmp

Filesize
28KB

Download
memory/9036-148-0x0000000000D90000-0x0000000000D9B000-memory.dmp

Filesize
44KB

Download
memory/9036-188-0x0000000000DA0000-0x0000000000DA7000-memory.dmp

Filesize
28KB

Download
memory/20944-150-0x0000000000300000-0x000000000030F000-memory.dmp

Filesize
60KB

Download
memory/20944-191-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/20944-145-0x0000000000000000-mapping.dmp

Download
memory/20944-149-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/36724-151-0x0000000000CA0000-0x0000000000CA9000-memory.dmp

Filesize
36KB

Download
memory/36724-153-0x0000000000CB0000-0x0000000000CB5000-memory.dmp

Filesize
20KB

Download
memory/36724-192-0x0000000000CB0000-0x0000000000CB5000-memory.dmp

Filesize
20KB

Download
memory/36724-147-0x0000000000000000-mapping.dmp

Download
memory/51740-193-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/51740-152-0x0000000000000000-mapping.dmp

Download
memory/51740-155-0x0000000000110000-0x000000000011C000-memory.dmp

Filesize
48KB

Download
memory/51740-154-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/66768-158-0x0000000000900000-0x0000000000927000-memory.dmp

Filesize
156KB

Download
memory/66768-194-0x0000000000930000-0x0000000000952000-memory.dmp

Filesize
136KB

Download
memory/66768-157-0x0000000000930000-0x0000000000952000-memory.dmp

Filesize
136KB

Download
memory/66768-156-0x0000000000000000-mapping.dmp

Download
memory/82692-162-0x0000000000D00000-0x0000000000D09000-memory.dmp

Filesize
36KB

Download
memory/82692-197-0x0000000000D10000-0x0000000000D15000-memory.dmp

Filesize
20KB

Download
memory/82692-161-0x0000000000D10000-0x0000000000D15000-memory.dmp

Filesize
20KB

Download
memory/82692-159-0x0000000000000000-mapping.dmp

Download
memory/98264-170-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/98264-200-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/98264-163-0x0000000000000000-mapping.dmp

Download
memory/98264-171-0x0000000000130000-0x000000000013B000-memory.dmp

Filesize
44KB

Download
memory/102140-180-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/102140-199-0x0000000005FE0000-0x0000000006030000-memory.dmp

Filesize
320KB

Download
memory/102140-198-0x0000000005F60000-0x0000000005FD6000-memory.dmp

Filesize
472KB

Download
memory/102140-203-0x0000000006980000-0x0000000006B42000-memory.dmp

Filesize
1.8MB

Download
memory/102140-204-0x0000000007080000-0x00000000075AC000-memory.dmp

Filesize
5.2MB

Download
memory/102140-182-0x0000000005010000-0x000000000511A000-memory.dmp

Filesize
1.0MB

Download
memory/102140-183-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/102140-184-0x0000000004FA0000-0x0000000004FDC000-memory.dmp

Filesize
240KB

Download
memory/102140-196-0x0000000005EC0000-0x0000000005F52000-memory.dmp

Filesize
584KB

Download
memory/102140-195-0x00000000063D0000-0x0000000006974000-memory.dmp

Filesize
5.6MB

Download
memory/102140-164-0x0000000000000000-mapping.dmp

Download
memory/102140-165-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/102196-173-0x0000000002D20000-0x0000000002D56000-memory.dmp

Filesize
216KB

Download
memory/102196-179-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/102196-172-0x0000000000000000-mapping.dmp

Download
memory/102196-189-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/102196-190-0x00000000067F0000-0x000000000680A000-memory.dmp

Filesize
104KB

Download
memory/102196-187-0x0000000006300000-0x000000000631E000-memory.dmp

Filesize
120KB

Download
memory/102196-175-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/102196-178-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/102260-174-0x0000000000000000-mapping.dmp

Download
memory/102260-177-0x00000000012D0000-0x00000000012DD000-memory.dmp

Filesize
52KB

Download
memory/102260-201-0x00000000012E0000-0x00000000012E7000-memory.dmp

Filesize
28KB

Download
memory/102260-176-0x00000000012E0000-0x00000000012E7000-memory.dmp

Filesize
28KB

Download
memory/102344-181-0x0000000000000000-mapping.dmp

Download
memory/102344-185-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/102344-202-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/102344-186-0x0000000000900000-0x000000000090B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads