redline

General

Target

34b3e67c1a42a5674f7f7118c7e6b4ed4853c0e3f765b99fa99f8f8c72bd1ffc
Size

3.2MB
Sample

220222-fjv61adghp
MD5

380c05075b2a3e3c81b668cb55ccc5ee
SHA1

c5c44ae629b41dc1abe787ee3c8a7bb86ec26780
SHA256

34b3e67c1a42a5674f7f7118c7e6b4ed4853c0e3f765b99fa99f8f8c72bd1ffc
SHA512

7a74fd338bc990de8e6e11d4ccf35a3b01003fd53e4a2d44e7350b50c7308baf6ca1cc63a7bf24ecaeead317f600b2c7a8f1a11ab142077f43e55a9e9d9567ce

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.fddnice.pw/

http://www.sokoinfo.pw/

http://www.zzhlike.pw/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

C2

http://perseus007.xyz/upload/

http://lambos1.xyz/upload/

http://cipluks.com/upload/

http://ragnar77.com/upload/

http://aslauk.com/upload/

http://qunersoo.xyz/upload /

http://hostunes.info/upload/

http://leonisdas.xyz/upload/

rc4.i32

Extracted

Family

redline

Botnet

v113

C2

45.150.67.141:8054

Targets

- Target
  
  34b3e67c1a42a5674f7f7118c7e6b4ed4853c0e3f765b99fa99f8f8c72bd1ffc
- Size
  
  3.2MB
- MD5
  
  380c05075b2a3e3c81b668cb55ccc5ee
- SHA1
  
  c5c44ae629b41dc1abe787ee3c8a7bb86ec26780
- SHA256
  
  34b3e67c1a42a5674f7f7118c7e6b4ed4853c0e3f765b99fa99f8f8c72bd1ffc
- SHA512
  
  7a74fd338bc990de8e6e11d4ccf35a3b01003fd53e4a2d44e7350b50c7308baf6ca1cc63a7bf24ecaeead317f600b2c7a8f1a11ab142077f43e55a9e9d9567ce
Score

10^/10

redline smokeloader socelars v113 agilenet backdoor discovery evasion infostealer persistence spyware stealer suricata trojan upx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
  suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
  suricata
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2