redline | ec2327749fcfe81de5944c76521528d4df2c841e2ab56f728a2a2998ac390f53

General

Target

784658799545bf83160f5153d3deeeab.exe
Size

281KB
MD5

784658799545bf83160f5153d3deeeab
SHA1

672639474553aeb4100ef5d866f8576297fd8ee9
SHA256

ec2327749fcfe81de5944c76521528d4df2c841e2ab56f728a2a2998ac390f53
SHA512

9d32b1d7a2b04800d6aeb90728cbdfd8f783ed78e52ec3f2332504934fbc28eafc2e65839213d782ac695464763a38a9dfeff8fd62671c2ccc9788a09ba6c901
SSDEEP

6144:rlcaxBxvOnaFWpLA94fLsTOVE07MigavwVfS:rlcaZ8aFWpG4oTA7J

Score

10^/10

redline smokeloader logsdiller cloud (sup: @mr_golds)backdoor infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

C2

77.73.134.27:8163

Attributes

auth_value
56c6f7b9024c076f0a96931453da7e56

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4532-133-0x0000000002190000-0x0000000002199000-memory.dmp	family_smokeloader
behavioral2/memory/101792-154-0x00000000010E0000-0x00000000010E5000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/101816-145-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

BDD2.exe

pid process

228 BDD2.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

BDD2.exe

description pid process target process

PID 228 set thread context of 101816 228 BDD2.exe AppLaunch.exe

pid	process
228	BDD2.exe

description	pid	process	target process
PID 228 set thread context of 101816	228	BDD2.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

784658799545bf83160f5153d3deeeab.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	784658799545bf83160f5153d3deeeab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	784658799545bf83160f5153d3deeeab.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	784658799545bf83160f5153d3deeeab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

784658799545bf83160f5153d3deeeab.exe

pid	process
4532	784658799545bf83160f5153d3deeeab.exe
4532	784658799545bf83160f5153d3deeeab.exe
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2424
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

784658799545bf83160f5153d3deeeab.exe

pid process

4532 784658799545bf83160f5153d3deeeab.exe
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424

pid	process
2424

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeDebugPrivilege	101816	AppLaunch.exe
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

BDD2.exe

description	pid	process	target process
PID 2424 wrote to memory of 228	2424		BDD2.exe
PID 2424 wrote to memory of 228	2424		BDD2.exe
PID 2424 wrote to memory of 228	2424		BDD2.exe
PID 2424 wrote to memory of 10080	2424		explorer.exe
PID 2424 wrote to memory of 10080	2424		explorer.exe
PID 2424 wrote to memory of 10080	2424		explorer.exe
PID 2424 wrote to memory of 10080	2424		explorer.exe
PID 2424 wrote to memory of 76808	2424		explorer.exe
PID 2424 wrote to memory of 76808	2424		explorer.exe
PID 2424 wrote to memory of 76808	2424		explorer.exe
PID 2424 wrote to memory of 101792	2424		explorer.exe
PID 2424 wrote to memory of 101792	2424		explorer.exe
PID 2424 wrote to memory of 101792	2424		explorer.exe
PID 2424 wrote to memory of 101792	2424		explorer.exe
PID 228 wrote to memory of 101816	228	BDD2.exe	AppLaunch.exe
PID 228 wrote to memory of 101816	228	BDD2.exe	AppLaunch.exe
PID 228 wrote to memory of 101816	228	BDD2.exe	AppLaunch.exe
PID 228 wrote to memory of 101816	228	BDD2.exe	AppLaunch.exe
PID 228 wrote to memory of 101816	228	BDD2.exe	AppLaunch.exe
PID 2424 wrote to memory of 101848	2424		explorer.exe
PID 2424 wrote to memory of 101848	2424		explorer.exe
PID 2424 wrote to memory of 101848	2424		explorer.exe
PID 2424 wrote to memory of 101912	2424		explorer.exe
PID 2424 wrote to memory of 101912	2424		explorer.exe
PID 2424 wrote to memory of 101912	2424		explorer.exe
PID 2424 wrote to memory of 101912	2424		explorer.exe
PID 2424 wrote to memory of 101948	2424		explorer.exe
PID 2424 wrote to memory of 101948	2424		explorer.exe
PID 2424 wrote to memory of 101948	2424		explorer.exe
PID 2424 wrote to memory of 101948	2424		explorer.exe
PID 2424 wrote to memory of 101984	2424		explorer.exe
PID 2424 wrote to memory of 101984	2424		explorer.exe
PID 2424 wrote to memory of 101984	2424		explorer.exe
PID 2424 wrote to memory of 101984	2424		explorer.exe
PID 2424 wrote to memory of 102012	2424		explorer.exe
PID 2424 wrote to memory of 102012	2424		explorer.exe
PID 2424 wrote to memory of 102012	2424		explorer.exe
PID 2424 wrote to memory of 102040	2424		explorer.exe
PID 2424 wrote to memory of 102040	2424		explorer.exe
PID 2424 wrote to memory of 102040	2424		explorer.exe
PID 2424 wrote to memory of 102040	2424		explorer.exe

C:\Users\Admin\AppData\Local\Temp\784658799545bf83160f5153d3deeeab.exe
"C:\Users\Admin\AppData\Local\Temp\784658799545bf83160f5153d3deeeab.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4532

C:\Users\Admin\AppData\Local\Temp\BDD2.exe
C:\Users\Admin\AppData\Local\Temp\BDD2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:101816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:10080

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:76808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:101792

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:101848

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:101912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:101948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:101984

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:102012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:102040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BDD2.exe
Filesize
2.6MB

MD5
0b9978d5b7c98f448f01a37add0d1cab

SHA1
7faccb84b6e5f026ae2c9a57c85f44ae17ae8cfa

SHA256
dc2879d1ea852d721808045d04e9c98dca28623ace248eb2efdd84701255cd68

SHA512
e24b09ee83b9a4a36ca5594f1c12e9015b7f9eeb103de1a6bbe82ad5d453282fe834d5d5190886df7e8814bccd8dca7ec4009965717b6b57716f0907d8298b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDD2.exe
Filesize
2.6MB

MD5
0b9978d5b7c98f448f01a37add0d1cab

SHA1
7faccb84b6e5f026ae2c9a57c85f44ae17ae8cfa

SHA256
dc2879d1ea852d721808045d04e9c98dca28623ace248eb2efdd84701255cd68

SHA512
e24b09ee83b9a4a36ca5594f1c12e9015b7f9eeb103de1a6bbe82ad5d453282fe834d5d5190886df7e8814bccd8dca7ec4009965717b6b57716f0907d8298b7e

Download Submit
memory/228-136-0x0000000000000000-mapping.dmp

Download
memory/4532-133-0x0000000002190000-0x0000000002199000-memory.dmp

Filesize
36KB

Download
memory/4532-134-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4532-135-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4532-132-0x00000000005CE000-0x00000000005DE000-memory.dmp

Filesize
64KB

Download
memory/10080-182-0x0000000000D40000-0x0000000000D47000-memory.dmp

Filesize
28KB

Download
memory/10080-139-0x0000000000000000-mapping.dmp

Download
memory/10080-153-0x0000000000D40000-0x0000000000D47000-memory.dmp

Filesize
28KB

Download
memory/10080-156-0x0000000000D30000-0x0000000000D3B000-memory.dmp

Filesize
44KB

Download
memory/76808-140-0x0000000000000000-mapping.dmp

Download
memory/76808-176-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/76808-142-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/76808-141-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/101792-184-0x00000000010E0000-0x00000000010E5000-memory.dmp

Filesize
20KB

Download
memory/101792-143-0x0000000000000000-mapping.dmp

Download
memory/101792-155-0x00000000010D0000-0x00000000010D9000-memory.dmp

Filesize
36KB

Download
memory/101792-154-0x00000000010E0000-0x00000000010E5000-memory.dmp

Filesize
20KB

Download
memory/101816-163-0x0000000005440000-0x0000000005452000-memory.dmp

Filesize
72KB

Download
memory/101816-180-0x0000000007A30000-0x0000000007BF2000-memory.dmp

Filesize
1.8MB

Download
memory/101816-188-0x0000000006DF0000-0x0000000006E40000-memory.dmp

Filesize
320KB

Download
memory/101816-187-0x0000000006D70000-0x0000000006DE6000-memory.dmp

Filesize
472KB

Download
memory/101816-144-0x0000000000000000-mapping.dmp

Download
memory/101816-159-0x0000000005970000-0x0000000005F88000-memory.dmp

Filesize
6.1MB

Download
memory/101816-161-0x00000000054F0000-0x00000000055FA000-memory.dmp

Filesize
1.0MB

Download
memory/101816-145-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/101816-183-0x0000000008130000-0x000000000865C000-memory.dmp

Filesize
5.2MB

Download
memory/101816-164-0x0000000005460000-0x000000000549C000-memory.dmp

Filesize
240KB

Download
memory/101816-179-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/101816-178-0x0000000005F90000-0x0000000006022000-memory.dmp

Filesize
584KB

Download
memory/101816-177-0x0000000006540000-0x0000000006AE4000-memory.dmp

Filesize
5.6MB

Download
memory/101848-150-0x0000000000000000-mapping.dmp

Download
memory/101848-151-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

Filesize
24KB

Download
memory/101848-181-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

Filesize
24KB

Download
memory/101848-152-0x0000000000FB0000-0x0000000000FBC000-memory.dmp

Filesize
48KB

Download
memory/101912-157-0x0000000000000000-mapping.dmp

Download
memory/101912-158-0x0000000000D60000-0x0000000000D82000-memory.dmp

Filesize
136KB

Download
memory/101912-160-0x0000000000D30000-0x0000000000D57000-memory.dmp

Filesize
156KB

Download
memory/101948-162-0x0000000000000000-mapping.dmp

Download
memory/101948-185-0x0000000000D40000-0x0000000000D45000-memory.dmp

Filesize
20KB

Download
memory/101948-165-0x0000000000D40000-0x0000000000D45000-memory.dmp

Filesize
20KB

Download
memory/101948-166-0x0000000000D30000-0x0000000000D39000-memory.dmp

Filesize
36KB

Download
memory/101984-167-0x0000000000000000-mapping.dmp

Download
memory/101984-168-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

Filesize
24KB

Download
memory/101984-186-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

Filesize
24KB

Download
memory/101984-169-0x0000000000FB0000-0x0000000000FBB000-memory.dmp

Filesize
44KB

Download
memory/102012-172-0x00000000006D0000-0x00000000006DD000-memory.dmp

Filesize
52KB

Download
memory/102012-171-0x00000000006E0000-0x00000000006E7000-memory.dmp

Filesize
28KB

Download
memory/102012-170-0x0000000000000000-mapping.dmp

Download
memory/102012-189-0x00000000006E0000-0x00000000006E7000-memory.dmp

Filesize
28KB

Download
memory/102040-174-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/102040-173-0x0000000000000000-mapping.dmp

Download
memory/102040-175-0x0000000000520000-0x000000000052B000-memory.dmp

Filesize
44KB

Download
memory/102040-190-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads