redline

Sharing

Copy URL

Twitter E-mail

General

Target

a4ff0954cdad7803ed827b73d63198b4f30a3a2eb46baf94bd99c69761a65ce6
Size

2.9MB
Sample

220408-rcv37sddd9
MD5

aac9a5744455124b197b7ea300c442dc
SHA1

0b51e598edcdde4d11fa02e7146229ca7a93c2b0
SHA256

a4ff0954cdad7803ed827b73d63198b4f30a3a2eb46baf94bd99c69761a65ce6
SHA512

bd66285d9f0f45c3323bc2520898ba307f47b6892a9a2d9de3a3a1eec178a7edf7c27f72b156fd50bb9e0f21ae0719ff440a1a196b5cb24506671fc614341ad2

Score

10^/10

redline smokeloader socelars v1 backdoor discovery evasion infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

socelars

http://www.fddnice.pw/

http://www.sokoinfo.pw/

http://www.zzhlike.pw/

http://www.wygexde.xyz/

Extracted

Family

redline

Botnet

199.195.251.96:43073

Extracted

Family

smokeloader

Version

2020

http://al-commandoz.com/upload/

http://antalya-belek.com/upload/

http://luxurysv.com/upload/

http://massagespijkenisse.com/upload/

http://rexgorellhondaevent.com/upload/

rc4.i32

Targets

- Target
  
  Files.exe
- Size
  
  480KB
- MD5
  
  04251d7ea41e3c1906bcc0bc29a37e15
- SHA1
  
  4a8b321bdcb9c4e5fe93e0bca8ea1cbd4143e377
- SHA256
  
  c0f34b639fa12e2fd29e39092e3b2e14b9c41d4bd7c69a42478b1834094fa2df
- SHA512
  
  04a283488ae01837f9a733c8d71a645e849dd2a32ec8f67ea351582bc2604049751c6b6cacfa342f02c2f8701540ac4b2cdab162936a79a1d9d42a00f16df8fb
Score

10^/10

redline v1 evasion infostealer trojan persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  KRSetp.exe
- Size
  
  163KB
- MD5
  
  aeeeb778afcc78fa80f64a199a49cdb4
- SHA1
  
  873b799fe828862861f02258d36a66a9664c0a95
- SHA256
  
  27decb456b65dee3d232a0f04b92976428d8aa26ec25fe26b3bb3dfc2b05c146
- SHA512
  
  9aba8b5f3cdf293fadba07ebb502cd8b9888f405be0ece794a1bd6d883a98ca32561e905efa8c7f1fffd38cddec0bab61db42b12a5690cc34564cd7340605691
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral3 behavioral4
- Target
  
  agdsk.exe
- Size
  
  1.4MB
- MD5
  
  53f9570b38f020cfca3f1ff6c274ad3d
- SHA1
  
  96910fbf8a83816c804e2e0daf70d6fcdcc11657
- SHA256
  
  32ac26c29131d682d7d02accf5235858e249f792b76e5a34b153f05a3c97e391
- SHA512
  
  5e86af31fe8f9f09fc510fdb593adc4d4b7bf6fb02c8deec9c157acbd4c248e7a62d2f90eedfd396e9c8b2dd2429486561a7742e38eb64fe3e2b9874d3b0edb3
Score

10^/10

socelars discovery spyware stealer
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral5 behavioral6
- Target
  
  jg4_4jaa.exe
- Size
  
  1.0MB
- MD5
  
  71e6d5725a4495e73c3988a7d61641da
- SHA1
  
  d087800fd4b040bb346143e496fb816fec18bf68
- SHA256
  
  adf7cacf624f929ba9b510d7712f3bb0fcfce8ebf7fb63316e84461cedb4ea18
- SHA512
  
  6ce416b305b08df894f41577c89c392ea9e3180cacbdb70a1a9f80b94832ed21b3d66a6136d479df791b70532bbcd7f0cb290ff2a88991c72eca9fddca1f9e6b
Score

7^/10

spyware stealer evasion trojan
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
behavioral7 behavioral8
- Target
  
  pub2.exe
- Size
  
  283KB
- MD5
  
  8c0833558105d214596567678d709c08
- SHA1
  
  673729d6b72a569c78e7ae4afc3330d76a567ffe
- SHA256
  
  d19440fdd9ab41733825f73985f1b1ada5c1cd8c949c88ca28d92b470cda1f89
- SHA512
  
  e1a0e041a4a69b44283f828f7abd4bfb1924bfaf0d352a8ee1d104359d8d8c53de0a8f07a7c9c411c6e3c9b668936884bed9d54890e5c38ec678f9045fc3fe11
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Loads dropped DLL
behavioral9 behavioral10
- Target
  
  pzyh.exe
- Size
  
  975KB
- MD5
  
  8cbde3982249e20a6f564eb414f06fe4
- SHA1
  
  6d040b6c0f9d10b07f0b63797aa7bfabf0703925
- SHA256
  
  4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83
- SHA512
  
  d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b
Score

8^/10

persistence spyware stealer upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral11 behavioral12
- Target
  
  wf-game.exe
- Size
  
  702KB
- MD5
  
  56f7f9da6ff4124d52bf27f0116e5811
- SHA1
  
  7a19ec49d23a71b47ad507793e6afc53139b5d78
- SHA256
  
  1fd100eb0aa9348af79f35abb29990b7c1ced997016da20316f94bdb6cca8944
- SHA512
  
  0c7372f9ac72c5db7de658b80cfe9186cce4fee52f46aaf10efa3eb15d0133a2b5fd9c85984ef63f7b79e0787490ad2814cee01dc749a9ac90291d52b41b7fcf
Score

10^/10
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral13 behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

RedLine Payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Socelars

Reads user/profile data of web browsers

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

Checks whether UAC is enabled

SmokeLoader

Loads dropped DLL

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtCreateUserProcessOtherParentProcess

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14