Malware Analysis Report

2025-04-14 05:17

Sample ID 230927-3yn3kagc86
Target f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2
SHA256 f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2
Tags
redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2

Threat Level: Known bad

The file f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2 was found to be: Known bad.

Malicious Activity Summary

redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor infostealer trojan

RedLine

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-27 23:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-27 23:55

Reported

2023-09-27 23:58

Platform

win10v2004-20230915-en

Max time kernel

141s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe"

Signatures

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2C61.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2D1D.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 4844 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C61.exe
PID 3172 wrote to memory of 4844 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C61.exe
PID 3172 wrote to memory of 4844 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C61.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe

"C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe"

C:\Users\Admin\AppData\Local\Temp\2C61.exe

C:\Users\Admin\AppData\Local\Temp\2C61.exe

C:\Users\Admin\AppData\Local\Temp\2D1D.exe

C:\Users\Admin\AppData\Local\Temp\2D1D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\304B.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\304B.dll

C:\Users\Admin\AppData\Local\Temp\3240.exe

C:\Users\Admin\AppData\Local\Temp\3240.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\3454.exe

C:\Users\Admin\AppData\Local\Temp\3454.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1172 -ip 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 368

C:\Users\Admin\AppData\Local\Temp\47CD.exe

C:\Users\Admin\AppData\Local\Temp\47CD.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3454.exe" -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp

Files

memory/2320-0-0x0000000002190000-0x00000000021A5000-memory.dmp

memory/2320-1-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/2320-2-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2320-3-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3172-4-0x0000000003240000-0x0000000003256000-memory.dmp

memory/2320-5-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2320-9-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/2320-8-0x0000000002190000-0x00000000021A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C61.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

C:\Users\Admin\AppData\Local\Temp\2C61.exe

MD5 8c581ea3a1ea8a3792e8a1ce692272c5
SHA1 0888e77676d8b9c1d919c3fce1f08053f829349d
SHA256 aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630
SHA512 b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca

C:\Users\Admin\AppData\Local\Temp\2D1D.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

C:\Users\Admin\AppData\Local\Temp\2D1D.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

C:\Users\Admin\AppData\Local\Temp\304B.dll

MD5 1ab6c1d7f480fa84080c5ea04328841c
SHA1 4e98a73776cdb17fcbef5d3c24c2c809443317e0
SHA256 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f
SHA512 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2

C:\Users\Admin\AppData\Local\Temp\3240.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\3240.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\3454.exe

MD5 8a648cfc49900458f2826a9c9ef0c249
SHA1 4ccbf306cbf710c888306fb64dd0db8a454b088c
SHA256 56a70d420ecefd9ecf3103be1e075306abb0af704d28e1aad41756e4287e2a4e
SHA512 8d55011b881d3aef4200109d4f3dee3bea7dfc89c858ffc7d2a600369e565012f6260085cbeb948a739c0746b5cafd582d83983c1f1b67e3cfb54d992ddffe4a

memory/1192-28-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\304B.dll

MD5 1ab6c1d7f480fa84080c5ea04328841c
SHA1 4e98a73776cdb17fcbef5d3c24c2c809443317e0
SHA256 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f
SHA512 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2

C:\Users\Admin\AppData\Local\Temp\3454.exe

MD5 8a648cfc49900458f2826a9c9ef0c249
SHA1 4ccbf306cbf710c888306fb64dd0db8a454b088c
SHA256 56a70d420ecefd9ecf3103be1e075306abb0af704d28e1aad41756e4287e2a4e
SHA512 8d55011b881d3aef4200109d4f3dee3bea7dfc89c858ffc7d2a600369e565012f6260085cbeb948a739c0746b5cafd582d83983c1f1b67e3cfb54d992ddffe4a

memory/4528-33-0x0000000010000000-0x00000000102A9000-memory.dmp

memory/4204-36-0x0000000074040000-0x00000000747F0000-memory.dmp

memory/4204-37-0x0000000005270000-0x000000000530C000-memory.dmp

memory/1192-39-0x0000000002B10000-0x0000000002B16000-memory.dmp

memory/4204-34-0x0000000000970000-0x0000000000A10000-memory.dmp

memory/4204-41-0x00000000058C0000-0x0000000005E64000-memory.dmp

memory/4528-40-0x0000000002C00000-0x0000000002C06000-memory.dmp

memory/1192-38-0x0000000074040000-0x00000000747F0000-memory.dmp

memory/4204-42-0x00000000053B0000-0x0000000005442000-memory.dmp

memory/4204-43-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/4204-44-0x0000000005370000-0x000000000537A000-memory.dmp

memory/4204-46-0x00000000055D0000-0x00000000055F8000-memory.dmp

memory/1192-54-0x00000000052D0000-0x00000000052E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\47CD.exe

MD5 dbac035d695ef90ef64a8a1823be1c70
SHA1 9149869b57ef67edc3a75b9bc52ba5e8371cb516
SHA256 702840d4f81d7624a973d78fb80d57e74486d2026489acbd9b6122b6aecdfab3
SHA512 46bb754eb905d2bc7971a7cdd8d805590fe8db79f1c63377f76e9b72f899fbe83d9adf88cb716304f842e52f750826436bc60233b8d82316125ae830be671aa0

C:\Users\Admin\AppData\Local\Temp\47CD.exe

MD5 568dde481b816b4d8a6fad212ea3c3ed
SHA1 da944c28e647e6019fdfc6f24950cb961b1e2f36
SHA256 dd3638e7775aa8c6e29a2f81e7a6eb89beed163fe391483192f4f58c34059580
SHA512 3497838fe995d14cb2c346b6a9909c3da3a64740f68454cb4d16d6cd91c3db7211666fa524358c303b7293dfe4a5ac795f94dd2e43c4ac7f4835a47a2862be81

memory/3684-57-0x0000000074040000-0x00000000747F0000-memory.dmp

memory/1192-56-0x0000000005320000-0x000000000535C000-memory.dmp

memory/3684-55-0x0000000000B40000-0x00000000011D4000-memory.dmp

memory/1192-51-0x0000000005290000-0x00000000052A2000-memory.dmp

memory/1192-59-0x0000000005360000-0x00000000053AC000-memory.dmp

memory/4204-49-0x0000000005620000-0x000000000563A000-memory.dmp

memory/1192-47-0x00000000053F0000-0x00000000054FA000-memory.dmp

memory/1192-45-0x0000000005900000-0x0000000005F18000-memory.dmp