redline | a61c4c824749fd30b2850fe824ae55082924e9bb4e186c23400a26fc4c5dadf0

General

Target

2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe
Size

186KB
MD5

0343235b3014134cd1f9c4f8f14bf327
SHA1

7df22fd8a194031121a4e4eba53d98c1a7f55bb8
SHA256

2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b
SHA512

1cefcccde826acf72f57d4a66f2cc22132773259aad246778a1fad3f059ec978a0d83b65eb3b447793d76629e0e20b6c4320d28ba42cf5c8acd70b102e3a7571
SSDEEP

3072:0vHATbTxwuWJy949xuZsG/t7GJ9JA4UJykW/JqZvoh:wYbTGuWC4HAVGJ98

Score

10^/10

redline smokeloader logsdiller cloud (telegram: @logsdillabot)pub1 backdoor infostealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.50:33080

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3100-22-0x00000000001B0000-0x000000000021C000-memory.dmp	family_redline
behavioral2/memory/3068-23-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/memory/3100-24-0x00000000001B0000-0x000000000021C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

3376
Executes dropped EXE 1 IoCs

Processes:

B727.exe

pid process

3100 B727.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

B727.exe

description pid process target process

PID 3100 set thread context of 3068 3100 B727.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3376

pid	process
3100	B727.exe

description	pid	process	target process
PID 3100 set thread context of 3068	3100	B727.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe

pid	process
4472	2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe
4472	2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe

pid process

4472 2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.exeB727.exe

description	pid	process	target process
PID 3376 wrote to memory of 460	3376		cmd.exe
PID 3376 wrote to memory of 460	3376		cmd.exe
PID 460 wrote to memory of 620	460	cmd.exe	reg.exe
PID 460 wrote to memory of 620	460	cmd.exe	reg.exe
PID 3376 wrote to memory of 3100	3376		B727.exe
PID 3376 wrote to memory of 3100	3376		B727.exe
PID 3376 wrote to memory of 3100	3376		B727.exe
PID 3100 wrote to memory of 2120	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 2120	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 2120	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 1752	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 1752	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 1752	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 3068	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 3068	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 3068	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 3068	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 3068	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 3068	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 3068	3100	B727.exe	RegAsm.exe
PID 3100 wrote to memory of 3068	3100	B727.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe
"C:\Users\Admin\AppData\Local\Temp\2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\40DC.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4116 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\B727.exe
C:\Users\Admin\AppData\Local\Temp\B727.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Modifies system certificate store
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40DC.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\B727.exe
Filesize
425KB

MD5
4b46d4b91e2e2a46886dcc002b038732

SHA1
aa05669c460970a880956a07f17f87e4ae91a4b0

SHA256
5b5510b13f6c8b6ca635019e1473036a239f7b2f059ddb66bb9f8debbbe990c1

SHA512
a576a831c0cba678a57d19140f9a5899ee43beb0cac420dcb1ef9f6587d4755b57a392f1bc7714ac58ea3dc66b4b7ec13f44c2e770fe58bb123a0eae5a3d4080

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8A93.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
1113c1ab90996b5f5ca2b5e7c292e168

SHA1
0c58bf78640f6dc8922613e28c7d71ec610b2151

SHA256
e1fdb89c236109c6f8dbb98f95a903415684f4ed892c053d90799253845260cd

SHA512
8639158c9fc146406e642f7022d473a36b6d2689cc61833f8eeb03c480259ee7dc6f99ee888d2359cd23bf697e7833d1e753a2f90560a743adf0f4581b38e3bf

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
dba4c9da0667b893c996fe4158a6283c

SHA1
4a39bc4dab3997076369f623d2a7506ced7b88ce

SHA256
e6cc8c1bfa559ffdcb62d40a704206c2d3fa404f2dd94357a14a623b00d04d07

SHA512
5496d4a33c35482e80eab0c22336fe67f51b5f65a37c63305833a741cb8365b6d0dcff3ededcfaeab2f85dd7a8e86b8186b37124fcdf594fb752990729c7e405

Download Submit
memory/3068-27-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/3068-49-0x0000000006640000-0x000000000665E000-memory.dmp

Filesize
120KB

Download
memory/3068-58-0x00000000068F0000-0x000000000693C000-memory.dmp

Filesize
304KB

Download
memory/3068-57-0x0000000006780000-0x00000000067BC000-memory.dmp

Filesize
240KB

Download
memory/3068-56-0x0000000006720000-0x0000000006732000-memory.dmp

Filesize
72KB

Download
memory/3068-23-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3068-55-0x00000000067E0000-0x00000000068EA000-memory.dmp

Filesize
1.0MB

Download
memory/3068-25-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3068-26-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/3068-54-0x0000000006C80000-0x0000000007298000-memory.dmp

Filesize
6.1MB

Download
memory/3068-28-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3068-29-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/3068-30-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/3068-48-0x00000000061D0000-0x0000000006246000-memory.dmp

Filesize
472KB

Download
memory/3068-47-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/3100-24-0x00000000001B0000-0x000000000021C000-memory.dmp

Filesize
432KB

Download
memory/3100-22-0x00000000001B0000-0x000000000021C000-memory.dmp

Filesize
432KB

Download
memory/3376-5-0x0000000002CE0000-0x0000000002CF6000-memory.dmp

Filesize
88KB

Download
memory/4472-4-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4472-9-0x00000000006D0000-0x00000000006DB000-memory.dmp

Filesize
44KB

Download
memory/4472-3-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4472-2-0x00000000006D0000-0x00000000006DB000-memory.dmp

Filesize
44KB

Download
memory/4472-1-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/4472-6-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads