redline

General

Target

SecuriteInfo.com.W32.AIDetect.malware1.15067.7286
Size

302KB
Sample

210311-mvqzy9evc2
MD5

de938a6e9d26fe6406522ad5114c3ebf
SHA1

e1f0533aaa45c2a3dc8072821dbe83438f9c1741
SHA256

4b74a532f2a5da62ae4298b75c9dc13ec959810a66c34aaefdf6b58c067396dd
SHA512

888c5276b2ca14de95d6c87a6d50bd75b9a3fb2c5b9fafd0e07c7086eeeb484dcb72e80119c750a43c2af738ff401dcd3f1e2bd88191afff65f0c52bb27bd874

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Targets

- Target
  
  SecuriteInfo.com.W32.AIDetect.malware1.15067.7286
- Size
  
  302KB
- MD5
  
  de938a6e9d26fe6406522ad5114c3ebf
- SHA1
  
  e1f0533aaa45c2a3dc8072821dbe83438f9c1741
- SHA256
  
  4b74a532f2a5da62ae4298b75c9dc13ec959810a66c34aaefdf6b58c067396dd
- SHA512
  
  888c5276b2ca14de95d6c87a6d50bd75b9a3fb2c5b9fafd0e07c7086eeeb484dcb72e80119c750a43c2af738ff401dcd3f1e2bd88191afff65f0c52bb27bd874
Score

10^/10

smokeloader backdoor persistence trojan redline discovery evasion infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2