redline | a10400d1b68c46db52f94a07b4e2714bbcf319778ee9eda05f6aab0e9f545c09 | Triage

Sharing

General

Target

04psi.zip
Size

100KB
Sample

201117-g4zw1f6cy2
MD5

ea211b888d483e9d624e7927aa6487bb
SHA1

e7cec3c59fb6055ad5c62e1178a96a84e01d2a93
SHA256

a10400d1b68c46db52f94a07b4e2714bbcf319778ee9eda05f6aab0e9f545c09
SHA512

5c4a0eebc6910a39503d80d7cdcdb2a977576a7fccba7319bfd6434df58ce2e54de2bc4bcc64f0e5141d98f46eba465c79ece11e83d857bb8f9e28fb70817f68

Score

10^/10

redline smokeloader backdoor infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rexstat35xm.xyz/statweb577/

http://dexspot2cx.club/statweb577/

http://atxspot20cx.best/statweb577/

http://rexspot7xm.xyz/statweb577/

http://datasectex.com/statweb577/

http://servicem977xm.xyz/statweb577/

http://advertxman7cx.xyz/statweb577/

http://starxpush7xm.xyz/statweb577/

rc4.i32

rc4.i32

Targets

- Target
  
  04psi.exe
- Size
  
  237KB
- MD5
  
  4bc2708122b1e43131888d1beee6c560
- SHA1
  
  8a82caf8b8f908898145e953ef8f1e665e8058db
- SHA256
  
  3fc06d1926ada759903e4ebc197f9da5baa80fb8f729f34395dd7c67e2d58a8c
- SHA512
  
  fcf714de9ae1d23ebe054f601938653f9643dbbf288319b4c3b2872544dbb2c82c5db8a4abc64a146648da9f5b71760ce485c1b5935473d214736438dffc2749
Score

10^/10

smokeloader backdoor trojan redline infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- JavaScript code in executable
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

redlinesmokeloaderbackdoorinfostealerpersistencetrojan