redline | 4ff32cd7d9a37a73d8c836a7c5a32792281e46b3f2d8a17fd535a4c90fe65680 | Triage

Submit
Reports

Overview

overview

Static

static

df689aafc3...c2.exe

windows7_x64

df689aafc3...c2.exe

windows10-2004_x64

Sharing

General

Target

df689aafc37fe83d1f76984911e4d6c2.exe
Size

264KB
Sample

220322-vkq11agda6
MD5

df689aafc37fe83d1f76984911e4d6c2
SHA1

e90bd78e5e110fe2d306ecc8e8cadf19de78564c
SHA256

4ff32cd7d9a37a73d8c836a7c5a32792281e46b3f2d8a17fd535a4c90fe65680
SHA512

435fd573b94e4fc3c53bc5d7bf56a3e83a434da4c60a7bc960f572afbf726c00c916dab41e342b2b473b5d61a99679728f478d623a0fc7b987c6b78c8f87e4aa

Score

10^/10

redline smokeloader 1 backdoor discovery infostealer persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

df689aafc37fe83d1f76984911e4d6c2.exe

Resource

win7-20220311-en

smokeloader backdoor discovery spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

df689aafc37fe83d1f76984911e4d6c2.exe

Resource

win10v2004-20220310-en

redline smokeloader 1 backdoor discovery infostealer persistence spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://coralee.at/upload/

http://ducvietcao.com/upload/

http://biz-acc.ru/upload/

http://toimap.com/upload/

http://bbb7d.com/upload/

http://piratia-life.ru/upload/

http://curvreport.com/upload/

http://viagratos.com/upload/

http://mordo.ru/upload/

http://pkodev.net/upload/

http://ghahantellorb.com/

http://hasarcyaionex.shop/

rc4.i32

rc4.i32

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

1

C2

62.204.41.199:30941

Attributes

auth_value
233d7744d392476aad9c7ac20cda7c2e

Targets

- Target
  
  df689aafc37fe83d1f76984911e4d6c2.exe
- Size
  
  264KB
- MD5
  
  df689aafc37fe83d1f76984911e4d6c2
- SHA1
  
  e90bd78e5e110fe2d306ecc8e8cadf19de78564c
- SHA256
  
  4ff32cd7d9a37a73d8c836a7c5a32792281e46b3f2d8a17fd535a4c90fe65680
- SHA512
  
  435fd573b94e4fc3c53bc5d7bf56a3e83a434da4c60a7bc960f572afbf726c00c916dab41e342b2b473b5d61a99679728f478d623a0fc7b987c6b78c8f87e4aa
Score

10^/10

smokeloader backdoor discovery spyware stealer trojan redline 1 infostealer persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoordiscoveryspywarestealertrojan

behavioral2

redlinesmokeloader1backdoordiscoveryinfostealerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy