redline

General

Target

1e8f0d0824f43f1ac2d664723f81acc89e1fa7acd9f3353ea41c14c6077fbd5b
Size

3.3MB
Sample

220222-qck3kaacbk
MD5

2ab31925a654ed3d501fe844f69bb345
SHA1

40e047ba9c50e94e0de35578d9c26e51a7e92bf0
SHA256

1e8f0d0824f43f1ac2d664723f81acc89e1fa7acd9f3353ea41c14c6077fbd5b
SHA512

bb029b924973682346f18ac963a951b1e6132f43867290a5e99bdca7028cfd398431a0037fb453cf95460d7207934fca464561c1a016f445f4a1fe9d61815aee

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.fddnice.pw/

http://www.sokoinfo.pw/

http://www.zzhlike.pw/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

C2

http://perseus007.xyz/upload/

http://lambos1.xyz/upload/

http://cipluks.com/upload/

http://ragnar77.com/upload/

http://aslauk.com/upload/

http://qunersoo.xyz/upload /

http://hostunes.info/upload/

http://leonisdas.xyz/upload/

rc4.i32

Extracted

Family

redline

Botnet

v113

C2

45.150.67.141:8054

Targets

- Target
  
  1e8f0d0824f43f1ac2d664723f81acc89e1fa7acd9f3353ea41c14c6077fbd5b
- Size
  
  3.3MB
- MD5
  
  2ab31925a654ed3d501fe844f69bb345
- SHA1
  
  40e047ba9c50e94e0de35578d9c26e51a7e92bf0
- SHA256
  
  1e8f0d0824f43f1ac2d664723f81acc89e1fa7acd9f3353ea41c14c6077fbd5b
- SHA512
  
  bb029b924973682346f18ac963a951b1e6132f43867290a5e99bdca7028cfd398431a0037fb453cf95460d7207934fca464561c1a016f445f4a1fe9d61815aee
Score

10^/10

redline smokeloader socelars v113 agilenet backdoor discovery evasion infostealer persistence spyware stealer suricata trojan upx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
  suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
  suricata
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2