redline | 30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9

General

Target

30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe
Size

324KB
MD5

b53fd458a492bc8159c7343ff6facaf9
SHA1

2ad05ffaf407e06a2e41216f66a3839f8d107273
SHA256

30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9
SHA512

1392b9b8ec4dd8105edd3b1361db62be6c160dc56263e194fab03ee5a2006ef6e33d25c37a2bae440f894a5a1fc45d0c3555c1c3160fc7b00fc2b1ef1f87f9bc
SSDEEP

3072:Vb1H04IyGEONN+odMzT9DkIbG9BLYmiFjDX845HaGexW4z6xJ6CP3xgpG:btN7eNsk21JHcGeNJCP

Score

10^/10

redline smokeloader logsdiller cloud (telegram: @logsdillabot)pub1 backdoor infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.50:33080

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4784-21-0x0000000000690000-0x000000000070F000-memory.dmp	family_redline
behavioral1/memory/2800-22-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/4784-23-0x0000000000690000-0x000000000070F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

3332
Executes dropped EXE 1 IoCs

Processes:

9BB.exe

pid process

4784 9BB.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

9BB.exe

description pid process target process

PID 4784 set thread context of 2800 4784 9BB.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3332

pid	process
4784	9BB.exe

description	pid	process	target process
PID 4784 set thread context of 2800	4784	9BB.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe

pid	process
3016	30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe
3016	30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe

pid process

3016 30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeDebugPrivilege	2800	RegAsm.exe
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exe9BB.exe

description	pid	process	target process
PID 3332 wrote to memory of 4512	3332		cmd.exe
PID 3332 wrote to memory of 4512	3332		cmd.exe
PID 4512 wrote to memory of 1932	4512	cmd.exe	reg.exe
PID 4512 wrote to memory of 1932	4512	cmd.exe	reg.exe
PID 3332 wrote to memory of 4784	3332		9BB.exe
PID 3332 wrote to memory of 4784	3332		9BB.exe
PID 3332 wrote to memory of 4784	3332		9BB.exe
PID 4784 wrote to memory of 2800	4784	9BB.exe	RegAsm.exe
PID 4784 wrote to memory of 2800	4784	9BB.exe	RegAsm.exe
PID 4784 wrote to memory of 2800	4784	9BB.exe	RegAsm.exe
PID 4784 wrote to memory of 2800	4784	9BB.exe	RegAsm.exe
PID 4784 wrote to memory of 2800	4784	9BB.exe	RegAsm.exe
PID 4784 wrote to memory of 2800	4784	9BB.exe	RegAsm.exe
PID 4784 wrote to memory of 2800	4784	9BB.exe	RegAsm.exe
PID 4784 wrote to memory of 2800	4784	9BB.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe
"C:\Users\Admin\AppData\Local\Temp\30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7579.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\9BB.exe
C:\Users\Admin\AppData\Local\Temp\9BB.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7579.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BB.exe
Filesize
491KB

MD5
7b7b5d55a8337975ed0ab4f9f426d525

SHA1
d89bfa223df289305074dcf9b9a7d15b65e0634c

SHA256
70832e266e86d980fbe532bc2a8f8409f3421284ddf0f7cb09fd2c8484da047a

SHA512
b46b2758f5bb8028e9d53dfeb16b2522a06d65e98602508d4447ac23c42876558c33127092f11b98f8a18b0d306a733e4e4d992dc3e51946cb34549956383faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6CBA.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
417a135c520fac3f0f4549a455f91dc0

SHA1
c52989546620d45529374028c7a2a325842efc06

SHA256
3195500480fcb19a941c3ff9dda874a70388e9b306e9ad90c3f0ee3e40022a9c

SHA512
fc4709ebaa0ce2107c5ef7343de22ce1dac0cc1c29b989fed33f011edd8db7015693cb48cf40668b94178b66f4fff5ae3caed7d499ee7d87b1868493171f5c10

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
dba4c9da0667b893c996fe4158a6283c

SHA1
4a39bc4dab3997076369f623d2a7506ced7b88ce

SHA256
e6cc8c1bfa559ffdcb62d40a704206c2d3fa404f2dd94357a14a623b00d04d07

SHA512
5496d4a33c35482e80eab0c22336fe67f51b5f65a37c63305833a741cb8365b6d0dcff3ededcfaeab2f85dd7a8e86b8186b37124fcdf594fb752990729c7e405

Download Submit
memory/2800-54-0x0000000006DC0000-0x0000000006DD2000-memory.dmp

Filesize
72KB

Download
memory/2800-57-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/2800-65-0x0000000008620000-0x0000000008B4C000-memory.dmp

Filesize
5.2MB

Download
memory/2800-64-0x0000000007F20000-0x00000000080E2000-memory.dmp

Filesize
1.8MB

Download
memory/2800-22-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2800-61-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/2800-24-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2800-25-0x0000000005E20000-0x00000000063C4000-memory.dmp

Filesize
5.6MB

Download
memory/2800-26-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/2800-27-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/2800-28-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/2800-60-0x0000000005A80000-0x0000000005AD0000-memory.dmp

Filesize
320KB

Download
memory/2800-45-0x0000000006550000-0x00000000065C6000-memory.dmp

Filesize
472KB

Download
memory/2800-46-0x0000000006CF0000-0x0000000006D0E000-memory.dmp

Filesize
120KB

Download
memory/2800-47-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2800-59-0x00000000070F0000-0x0000000007156000-memory.dmp

Filesize
408KB

Download
memory/2800-58-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/2800-52-0x0000000007330000-0x0000000007948000-memory.dmp

Filesize
6.1MB

Download
memory/2800-53-0x0000000006E80000-0x0000000006F8A000-memory.dmp

Filesize
1.0MB

Download
memory/2800-56-0x0000000006F90000-0x0000000006FDC000-memory.dmp

Filesize
304KB

Download
memory/2800-55-0x0000000006E20000-0x0000000006E5C000-memory.dmp

Filesize
240KB

Download
memory/3016-1-0x0000000001BF0000-0x0000000001CF0000-memory.dmp

Filesize
1024KB

Download
memory/3016-8-0x0000000001BC0000-0x0000000001BCB000-memory.dmp

Filesize
44KB

Download
memory/3016-2-0x0000000001BC0000-0x0000000001BCB000-memory.dmp

Filesize
44KB

Download
memory/3016-3-0x0000000000400000-0x0000000001A1C000-memory.dmp

Filesize
22.1MB

Download
memory/3016-5-0x0000000000400000-0x0000000001A1C000-memory.dmp

Filesize
22.1MB

Download
memory/3332-4-0x00000000026B0000-0x00000000026C6000-memory.dmp

Filesize
88KB

Download
memory/4784-23-0x0000000000690000-0x000000000070F000-memory.dmp

Filesize
508KB

Download
memory/4784-21-0x0000000000690000-0x000000000070F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads