redline | 0f8b56af0b1be1247a5bf989a92eca657855d96e4b3b9eac1a109cbe8bfbd40a

General

Target

2ae08b2b339f8593d743991cce0c747c.exe
Size

130KB
MD5

2ae08b2b339f8593d743991cce0c747c
SHA1

d99acc1fc5702475f27c729be631fb0c4d2f1625
SHA256

0f8b56af0b1be1247a5bf989a92eca657855d96e4b3b9eac1a109cbe8bfbd40a
SHA512

bc6c43377168db0d06a682e4f99187bd06f16b1da058e37090ae902ed8dd87fa68578fa17cf3cf9b223b91c5c648e8b3e492030f026a6253aa28efaaf16633f2
SSDEEP

3072:YKiT13Tc5d/Lb4dc+oytXrlvfYa1f+Mxn5B:E1E/vD+Z2aJ+Mx

Score

10^/10

redline smokeloader logsdiller cloud (tg: @mr_golds)backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @mr_golds)

C2

77.73.134.27:7161

Attributes

auth_value
4b2de03af6b6ac513ac597c2e6c1ad51

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3228-134-0x00000000022B0000-0x00000000022B9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/102088-141-0x00000000004B0000-0x00000000004D8000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

24B9.exe311E.exe3AB4.exe

pid process

2712 24B9.exe
102148 311E.exe
102232 3AB4.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

24B9.exe

description pid process target process

PID 2712 set thread context of 102088 2712 24B9.exe AppLaunch.exe

pid	process
2712	24B9.exe
102148	311E.exe
102232	3AB4.exe

description	pid	process	target process
PID 2712 set thread context of 102088	2712	24B9.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2ae08b2b339f8593d743991cce0c747c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ae08b2b339f8593d743991cce0c747c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ae08b2b339f8593d743991cce0c747c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ae08b2b339f8593d743991cce0c747c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2ae08b2b339f8593d743991cce0c747c.exe

pid	process
3228	2ae08b2b339f8593d743991cce0c747c.exe
3228	2ae08b2b339f8593d743991cce0c747c.exe
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2740
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

2ae08b2b339f8593d743991cce0c747c.exe

pid process

3228 2ae08b2b339f8593d743991cce0c747c.exe
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740

pid	process
2740

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

311E.exeAppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeDebugPrivilege	102148	311E.exe
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeDebugPrivilege	102088	AppLaunch.exe
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

24B9.exe

description	pid	process	target process
PID 2740 wrote to memory of 2712	2740		24B9.exe
PID 2740 wrote to memory of 2712	2740		24B9.exe
PID 2740 wrote to memory of 2712	2740		24B9.exe
PID 2712 wrote to memory of 102088	2712	24B9.exe	AppLaunch.exe
PID 2712 wrote to memory of 102088	2712	24B9.exe	AppLaunch.exe
PID 2712 wrote to memory of 102088	2712	24B9.exe	AppLaunch.exe
PID 2712 wrote to memory of 102088	2712	24B9.exe	AppLaunch.exe
PID 2712 wrote to memory of 102088	2712	24B9.exe	AppLaunch.exe
PID 2740 wrote to memory of 102148	2740		311E.exe
PID 2740 wrote to memory of 102148	2740		311E.exe
PID 2740 wrote to memory of 102148	2740		311E.exe
PID 2740 wrote to memory of 102232	2740		3AB4.exe
PID 2740 wrote to memory of 102232	2740		3AB4.exe
PID 2740 wrote to memory of 102232	2740		3AB4.exe
PID 2740 wrote to memory of 102356	2740		explorer.exe
PID 2740 wrote to memory of 102356	2740		explorer.exe
PID 2740 wrote to memory of 102356	2740		explorer.exe
PID 2740 wrote to memory of 102356	2740		explorer.exe
PID 2740 wrote to memory of 102396	2740		explorer.exe
PID 2740 wrote to memory of 102396	2740		explorer.exe
PID 2740 wrote to memory of 102396	2740		explorer.exe
PID 2740 wrote to memory of 3100	2740		explorer.exe
PID 2740 wrote to memory of 3100	2740		explorer.exe
PID 2740 wrote to memory of 3100	2740		explorer.exe
PID 2740 wrote to memory of 3100	2740		explorer.exe
PID 2740 wrote to memory of 2728	2740		explorer.exe
PID 2740 wrote to memory of 2728	2740		explorer.exe
PID 2740 wrote to memory of 2728	2740		explorer.exe
PID 2740 wrote to memory of 204	2740		explorer.exe
PID 2740 wrote to memory of 204	2740		explorer.exe
PID 2740 wrote to memory of 204	2740		explorer.exe
PID 2740 wrote to memory of 204	2740		explorer.exe
PID 2740 wrote to memory of 4228	2740		explorer.exe
PID 2740 wrote to memory of 4228	2740		explorer.exe
PID 2740 wrote to memory of 4228	2740		explorer.exe
PID 2740 wrote to memory of 4228	2740		explorer.exe
PID 2740 wrote to memory of 3912	2740		explorer.exe
PID 2740 wrote to memory of 3912	2740		explorer.exe
PID 2740 wrote to memory of 3912	2740		explorer.exe
PID 2740 wrote to memory of 3912	2740		explorer.exe
PID 2740 wrote to memory of 3928	2740		explorer.exe
PID 2740 wrote to memory of 3928	2740		explorer.exe
PID 2740 wrote to memory of 3928	2740		explorer.exe
PID 2740 wrote to memory of 3440	2740		explorer.exe
PID 2740 wrote to memory of 3440	2740		explorer.exe
PID 2740 wrote to memory of 3440	2740		explorer.exe
PID 2740 wrote to memory of 3440	2740		explorer.exe

C:\Users\Admin\AppData\Local\Temp\2ae08b2b339f8593d743991cce0c747c.exe
"C:\Users\Admin\AppData\Local\Temp\2ae08b2b339f8593d743991cce0c747c.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3228

C:\Users\Admin\AppData\Local\Temp\24B9.exe
C:\Users\Admin\AppData\Local\Temp\24B9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:102088

C:\Users\Admin\AppData\Local\Temp\311E.exe
C:\Users\Admin\AppData\Local\Temp\311E.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:102148

C:\Users\Admin\AppData\Local\Temp\3AB4.exe
C:\Users\Admin\AppData\Local\Temp\3AB4.exe
1⤵
- Executes dropped EXE
PID:102232

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:102356

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:102396

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3100

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2728

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:204

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3912

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24B9.exe
Filesize
2.6MB

MD5
caa086e140d4ffbc78a1a4c91869a973

SHA1
8d5b4f00412169130ffba2167e502601b007b526

SHA256
bd245b6180cf30b67108be0b3afad151434f065c5590a3dae5d8568146090dc8

SHA512
f94286f599ae3d87e06f1df6f8794e0c7e968237dfa734e69ee68432ef45eb5b7eb3b70287815b0b9225eb5b86f2a010a8c9708e54799c7c12a0d346ec4b1ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\24B9.exe
Filesize
2.6MB

MD5
caa086e140d4ffbc78a1a4c91869a973

SHA1
8d5b4f00412169130ffba2167e502601b007b526

SHA256
bd245b6180cf30b67108be0b3afad151434f065c5590a3dae5d8568146090dc8

SHA512
f94286f599ae3d87e06f1df6f8794e0c7e968237dfa734e69ee68432ef45eb5b7eb3b70287815b0b9225eb5b86f2a010a8c9708e54799c7c12a0d346ec4b1ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\311E.exe
Filesize
255KB

MD5
07ea3bc2b9eaacd002de4f59803ef234

SHA1
8a796069e5eac844f40b4487c80ed1c93316a331

SHA256
2302396062d7523a230f0a81ada322bb8907e11d006c0ec29a37821dd084bfe1

SHA512
d89e46145536d9b5fc310b72b24a4b1790100bbfd18b39a48dd10938255233132f0d87190c4c84c2b78076d9b0a39c4c9f6f27ece40a9b3f93b3e65aaca2c092

Download Submit
C:\Users\Admin\AppData\Local\Temp\311E.exe
Filesize
255KB

MD5
07ea3bc2b9eaacd002de4f59803ef234

SHA1
8a796069e5eac844f40b4487c80ed1c93316a331

SHA256
2302396062d7523a230f0a81ada322bb8907e11d006c0ec29a37821dd084bfe1

SHA512
d89e46145536d9b5fc310b72b24a4b1790100bbfd18b39a48dd10938255233132f0d87190c4c84c2b78076d9b0a39c4c9f6f27ece40a9b3f93b3e65aaca2c092

Download Submit
C:\Users\Admin\AppData\Local\Temp\3AB4.exe
Filesize
337KB

MD5
25e6c3058f4e1331ad1d886f48170866

SHA1
dac4d0c2a39a76530426bef95ad5a5d10b4b625d

SHA256
c6e2deb30016057cf4fbe8aecdbbb7142332e3e561c98fb125797e3da6391506

SHA512
0df3e761e000f1c7bf2e698be541fdd46c9f4bf21cf7c150a4ad6ddb447e834f53447ab8bf70a3965d8c77d2795b988f93c7f5bafb83b67d8a60b674a7ceda64

Download Submit
C:\Users\Admin\AppData\Local\Temp\3AB4.exe
Filesize
337KB

MD5
25e6c3058f4e1331ad1d886f48170866

SHA1
dac4d0c2a39a76530426bef95ad5a5d10b4b625d

SHA256
c6e2deb30016057cf4fbe8aecdbbb7142332e3e561c98fb125797e3da6391506

SHA512
0df3e761e000f1c7bf2e698be541fdd46c9f4bf21cf7c150a4ad6ddb447e834f53447ab8bf70a3965d8c77d2795b988f93c7f5bafb83b67d8a60b674a7ceda64

Download Submit
memory/204-179-0x0000000000370000-0x0000000000392000-memory.dmp

Filesize
136KB

Download
memory/204-176-0x0000000000000000-mapping.dmp

Download
memory/204-200-0x0000000000370000-0x0000000000392000-memory.dmp

Filesize
136KB

Download
memory/204-180-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/2712-137-0x0000000000000000-mapping.dmp

Download
memory/2728-199-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/2728-173-0x0000000000000000-mapping.dmp

Download
memory/2728-174-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/2728-175-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/3100-198-0x0000000000B20000-0x0000000000B25000-memory.dmp

Filesize
20KB

Download
memory/3100-171-0x0000000000B20000-0x0000000000B25000-memory.dmp

Filesize
20KB

Download
memory/3100-172-0x0000000000B10000-0x0000000000B19000-memory.dmp

Filesize
36KB

Download
memory/3100-170-0x0000000000000000-mapping.dmp

Download
memory/3228-133-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/3228-136-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3228-135-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3228-134-0x00000000022B0000-0x00000000022B9000-memory.dmp

Filesize
36KB

Download
memory/3440-204-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/3440-191-0x0000000000000000-mapping.dmp

Download
memory/3440-194-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/3440-195-0x0000000000AD0000-0x0000000000ADB000-memory.dmp

Filesize
44KB

Download
memory/3912-185-0x0000000000000000-mapping.dmp

Download
memory/3912-186-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/3912-187-0x00000000005C0000-0x00000000005CB000-memory.dmp

Filesize
44KB

Download
memory/3912-202-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/3928-188-0x0000000000000000-mapping.dmp

Download
memory/3928-190-0x0000000000580000-0x000000000058D000-memory.dmp

Filesize
52KB

Download
memory/3928-203-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/3928-189-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/4228-181-0x0000000000000000-mapping.dmp

Download
memory/4228-183-0x00000000001C0000-0x00000000001C5000-memory.dmp

Filesize
20KB

Download
memory/4228-201-0x00000000001C0000-0x00000000001C5000-memory.dmp

Filesize
20KB

Download
memory/4228-184-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/102088-141-0x00000000004B0000-0x00000000004D8000-memory.dmp

Filesize
160KB

Download
memory/102088-152-0x0000000004E50000-0x0000000004E8C000-memory.dmp

Filesize
240KB

Download
memory/102088-151-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/102088-147-0x0000000004F20000-0x000000000502A000-memory.dmp

Filesize
1.0MB

Download
memory/102088-146-0x0000000005430000-0x0000000005A48000-memory.dmp

Filesize
6.1MB

Download
memory/102088-140-0x0000000000000000-mapping.dmp

Download
memory/102148-155-0x00000000020A0000-0x00000000020D8000-memory.dmp

Filesize
224KB

Download
memory/102148-193-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/102148-160-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/102148-164-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/102148-156-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/102148-163-0x0000000006530000-0x00000000065A6000-memory.dmp

Filesize
472KB

Download
memory/102148-154-0x00000000007D9000-0x0000000000803000-memory.dmp

Filesize
168KB

Download
memory/102148-161-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/102148-178-0x0000000007B20000-0x000000000804C000-memory.dmp

Filesize
5.2MB

Download
memory/102148-153-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/102148-192-0x00000000007D9000-0x0000000000803000-memory.dmp

Filesize
168KB

Download
memory/102148-182-0x0000000008160000-0x00000000081B0000-memory.dmp

Filesize
320KB

Download
memory/102148-177-0x0000000007950000-0x0000000007B12000-memory.dmp

Filesize
1.8MB

Download
memory/102148-148-0x0000000000000000-mapping.dmp

Download
memory/102232-157-0x0000000000000000-mapping.dmp

Download
memory/102356-196-0x0000000000670000-0x0000000000677000-memory.dmp

Filesize
28KB

Download
memory/102356-162-0x0000000000000000-mapping.dmp

Download
memory/102356-165-0x0000000000670000-0x0000000000677000-memory.dmp

Filesize
28KB

Download
memory/102356-166-0x0000000000660000-0x000000000066B000-memory.dmp

Filesize
44KB

Download
memory/102396-197-0x0000000000AE0000-0x0000000000AE9000-memory.dmp

Filesize
36KB

Download
memory/102396-169-0x0000000000AD0000-0x0000000000ADF000-memory.dmp

Filesize
60KB

Download
memory/102396-167-0x0000000000000000-mapping.dmp

Download
memory/102396-168-0x0000000000AE0000-0x0000000000AE9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads