TrojanSpy.Win32.REDLINE.AKCRDD

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

• %Program Files%\PowerControl
• %ProgramData%\DNTException
• %User Temp%\IXP000.TMP
• %User Temp%\IXP001.TMP
• %User Temp%\IXP002.TMP
• %User Profile%\Pictures\Adobe Films
• %User Profile%\Pictures\Minor Policy

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %Program Files%\PowerControl\PowerControl_Svc.exe
• %ProgramData%\DNTException\node.exe
• %ProgramData%\DNTException\node.exe:89c91f4dc785841a9acf7a8ed2e5571c
• %ProgramData%\DNTException\node.lib
• %User Temp%\40707fdddbeb1cd0
• %User Temp%\40707fdddbeb1cd0:ads
• %User Temp%\Cab{4 random characters}.tmp
• %User Temp%\db.dat
• %User Temp%\db.dll
• %User Temp%\is-I8M9R.tmp\{random characters}.tmp
• %User Temp%\IXP000.TMP\Bulgaria.ppsm
• %User Temp%\IXP000.TMP\Caps.exe.pif
• %User Temp%\IXP000.TMP\Dealers.ppsm
• %User Temp%\IXP000.TMP\Its.ppsm
• %User Temp%\IXP000.TMP\UmREs.dll
• %User Temp%\IXP001.TMP\Corner.accdt
• %User Temp%\IXP001.TMP\lWYwfys.dll
• %User Temp%\IXP001.TMP\Provide.accdt
• %User Temp%\IXP001.TMP\Quite.exe.pif
• %User Temp%\IXP001.TMP\Spotlight.accdt
• %User Temp%\IXP002.TMP\bgqlbohwfci.bat
• %User Temp%\IXP002.TMP\conhost.exe
• %User Temp%\IXP002.TMP\ehduvdpzqc.dat
• %User Temp%\IXP002.TMP\ehduvdpzqc.dat.1
• %User Temp%\IXP002.TMP\ehduvdpzqc.dat.2
• %User Temp%\IXP002.TMP\ehduvdpzqc.dat.3
• %User Temp%\IXP002.TMP\ehduvdpzqc.dat.4
• %User Temp%\IXP002.TMP\ehduvdpzqc.dat.5
• %User Temp%\IXP002.TMP\ehduvdpzqc.dat.6
• %User Temp%\IXP002.TMP\lmkuxmlws.dat
• %User Temp%\QjYJ8gU8.u
• %User Temp%\Setup Log {Installation Date} #001.txt
• %User Temp%\Tar{4 random characters}.tmp
• %Application Data%\Microsoft\Protect\oobeldr.exe
• %Application Data%\NayQnjb\Ov84Cvv.exe
• %User Profile%\Documents\{random characters}.exe
• %User Profile%\Documents\UOqNCMGUcpkg8vc.palma
• %User Profile%\Pictures\Adobe Films\{random characters}.exe
• %User Profile%\Pictures\Minor Policy\{random characters}.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%User Temp%\Updater.exe"
• "%User Profile%\Pictures\Minor Policy\{random characters}.exe" -h
• "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
• "%System%\regsvr32.exe" /s QJYJ8gU8.u /u
• "%System%\regsvr32.exe" /s QJYJ8gU8.u /u
• /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "%Application Data%\Microsoft\Protect\oobeldr.exe"
• attrib.exe +H %ProgramData%\DNTException
• attrib.exe +H %ProgramData%\DNTException\node.exe
• %User Temp%\is-I8M9R.tmp\{random characters}.tmp" /SL5="$603E0,11860388,791040,%User Profile%\Pictures\Adobe Films\{random characters}.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid={Process ID};
• %User Temp%\IXP000.TMP\Caps.exe.pif Films\{random characters}.exe"
• %User Temp%\IXP001.TMP\Quite.exe.pif Films\{random characters}.exe
• %Application Data%\NayQnjb\Ov84Cvv.exe
• %User Profile%\Documents\{random characters}.exe
• %User Profile%\Pictures\Adobe Films\{random characters}.exe
• %User Profile%\Pictures\Adobe Films\{random characters}.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid={Process ID}
• %User Profile%\Pictures\Minor Policy\{random characters}.exe
• %Windows%\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
• %System%\cmd.exe" /c taskkill /im "{random characters}.exe" /f & erase "%User Profile%\Pictures\Minor Policy\{random characters}.exe" & exit
• cacls.exe %ProgramData%\DNTException /t /e /c /g Everyone:F
• Caps.exe.pif U
• cmd
• cmd /c cmd < Its.ppsm & ping -n 5 localhost
• cmd /c cmd < Provide.accdt & ping -n 5 localhost
• cmd.exe /c dir %System Root%
• cmd.exe /d /c bgqlbohwfci.bat 211558517281
• conhost.exe lmkuxmlws.dat 211558517281
• find /I /N "avastui.exe
• find /I /N "avastui.exe"
• find /I /N "avgui.exe
• find /I /N "avgui.exe"
• findstr /V /R "^NpDypcc$" Corner.accdt
• findstr /V /R "^PZfwNaaV$" Dealers.ppsm
• icacls.exe %ProgramData%\DNTException /t /c /grant *S-1-1-0:(f)
• ipconfig.exe /all
• netstat.exe -ano
• node.exe node.lib 211558517281 3918534496;
• ping -n 5 localhost
• ping localhost -n 5
• Quite.exe.pif r
• robocopy 8927387376487263745672673846276374982938486273568279384982384972834
• route.exe print
• schtasks /create /f /RU "{User Name}" /tr "%Program Files%\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
• schtasks /create /f /RU "{User Name}" /tr "%Program Files%\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
• systeminfo.exe /fo csv
• taskkill /im "{random characters}.exe" /f
• tasklist /FI "imagename eq AvastUI.exe
• tasklist /FI "imagename eq AvastUI.exe"
• tasklist /FI "imagename eq AVGUI.exe
• tasklist /FI "imagename eq AVGUI.exe"
• tasklist /fo csv /nh
• wmic process get processid,parentprocessid,name,executablepath /format:csv

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
wextract_cleanup0 = rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%User Temp%\IXP000.TMP\"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
wextract_cleanup1 = rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%User Temp%\IXP001.TMP\"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
wextract_cleanup2 = rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%User Temp%\IXP002.TMP\"

Other System Modifications

This Trojan Spy adds the following registry entries:

HKEY_CURRENT_USER\Software\LilFreskeUS
Installed = 1

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
AV =

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
CPU = {Processor}

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
FirstInstallDate = 1663902731

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
GPU = {GPU Information}

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
IsAdmin = {Execution Privilege}

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
OSCaption = {Windows Edition}

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
OSArchitecture = {OS Architecture}

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
PatchTime = 0

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
PGDSE = 0

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
Servers = http://{BLOCKED}pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
ServersVersion = 190

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
ServiceVersion =

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658
UUI =

HKEY_CURRENT_USER\Software\Microsoft\
ResKit\Robocopy
JobDir = ::

HKEY_CURRENT_USER\Software\Microsoft\
ResKit\Robocopy
RetryMax = 1000000

HKEY_CURRENT_USER\Software\Microsoft\
ResKit\Robocopy
WaitTime = 30000

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableRoutinelyTakingAction = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableBehaviorMonitoring = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableIOAVProtection = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableOnAccessProtection = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableRawWriteNotification = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender\Real-Time Protection
DisableScanOnRealtimeEnable = 1

Other Details

This Trojan Spy adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
daa8b658

HKEY_CURRENT_USER\Software\LilFreskeUS

HKEY_CURRENT_USER\Software\Microsoft\
ResKit

HKEY_CURRENT_USER\Software\Microsoft\
ResKit\Robocopy

It connects to the following possibly malicious URL:

• {BLOCKED}.{BLOCKED}.129.235/storage/extension.php
• {BLOCKED}.{BLOCKED}.129.235/storage/ping.php
• {BLOCKED}.{BLOCKED}.129.251/download/Service.exe
• {BLOCKED}.{BLOCKED}.129.251/download/WW14.exe
• {BLOCKED}.{BLOCKED}.30.106/library.php
• {BLOCKED}.{BLOCKED}.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixtwo&substream=mixinte
• {BLOCKED}.{BLOCKED}.104.97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=start&substream=mixinte
• {BLOCKED}.{BLOCKED}.46.167/software.php
• {BLOCKED}.{BLOCKED}.24.96/load.php?pub=mixinte
• https://api.{BLOCKED}.sb
• https://{BLOCKED}sss.autos
• http://{BLOCKED}sss.autos
• https://{BLOCKED}et.com
• {BLOCKED}iimnstrannaer.net/dl/6523.exe
• {BLOCKED}oin-data-1.com/downloads/toolspab4.exe
• https://kke.{BLOCKED}ee.com
• http://kke.{BLOCKED}ee.com
• https://onedrive.{BLOCKED}e.com
• https://{BLOCKED}w.site
• https://sun6-20.{BLOCKED}i.com
• https://sun6-21.{BLOCKED}i.com
• https://sun6-22.{BLOCKED}i.com
• https://sun6-23.{BLOCKED}i.com
• https://{BLOCKED}ero.com
• http://{BLOCKED}ero.com
• https://{BLOCKED}k.com
• http://{BLOCKED}k.com
• https://www.{BLOCKED}conservas.com
• http://www.{BLOCKED}conservas.com