Overview

overview

10

Static

static

d14b20c4eb...93.exe

windows7_x64

10

d14b20c4eb...93.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d14b20c4eb8676d6b311af2e9dde7f93.exe

  • Size

    124KB

  • Sample

    211030-gx7mmaeee4

  • MD5

    d14b20c4eb8676d6b311af2e9dde7f93

  • SHA1

    83fc9c84a0e1c37c2144a3ef9bec83a0569847bb

  • SHA256

    a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4

  • SHA512

    cbc5bcfd7251ffb7c8b7d5c9795a2f502f52dde24b7b475996684ad080b808b0996ffeb43020bd31c8453d2243e0d23d108fc8255aea2f48de62d9572a510014

Score
10/10
redlinesmokeloader223backdoordiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

C2

80.66.87.50:80

Extracted

Family

smokeloader

Version

2020

C2

http://planilhasvba.com.br/wp-admin/js/k/index.php

http://rpk32ubon.ac.th/backup/k/index.php

http://4urhappiness.com/app/k/index.php

http://swedenkhabar.com/wp-admin/js/k/index.php

http://cio.lankapanel.net/wp-admin/js/k/index.php

http://fcmsites.com.br/canal/wp-admin/js/k/index.php

http://lacoibipitanga.com.br/maxart/k/index.php

http://lacoibipitanga.com.br/cgi-bin/k/index.php

http://video.nalahotel.com/k/index.php

http://diving-phocea.com/wp-admin/k/index.php

http://phocea-sudan.com/cgi-bin/k/index.php

http://rpk32ubon.ac.th/wp-admin/js/k/index.php

https://www.twinrealty.com/vworker/k/index.php
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

223

C2

23.94.183.146:60709

Targets

    • Target

      d14b20c4eb8676d6b311af2e9dde7f93.exe

    • Size

      124KB

    • MD5

      d14b20c4eb8676d6b311af2e9dde7f93

    • SHA1

      83fc9c84a0e1c37c2144a3ef9bec83a0569847bb

    • SHA256

      a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4

    • SHA512

      cbc5bcfd7251ffb7c8b7d5c9795a2f502f52dde24b7b475996684ad080b808b0996ffeb43020bd31c8453d2243e0d23d108fc8255aea2f48de62d9572a510014

    Score
    10/10
    redlinesmokeloader223backdoordiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Windows security bypass

      evasiontrojan

    • Nirsoft

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

3
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks