redline

General

Target

f13899dec145e83e8a1a7ee5be6fca18a24461d60bddd388c121d76c53eced90
Size

2.2MB
Sample

220511-l33cbagcg3
MD5

1f8f8cc2fb5c5e5af84558cdf927205c
SHA1

7a4ab20469c3e0054e9dacf84a8157fcccf4e59d
SHA256

f13899dec145e83e8a1a7ee5be6fca18a24461d60bddd388c121d76c53eced90
SHA512

4a5a5e2fb4505d16c3746a27839f5b72f8c17f4e1d88a10d4d52fff0b7e9c0de73ed2d6551dad3b621e1a378fae92591ca55745d93cd8b0fa127e38fd12f14af

Score

10^/10

redline smokeloader mixw us backdoor evasion infostealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://agressivemnaiq.xyz/

https://agressivemnaiq.xyz/

rc4.i32

Extracted

Family

redline

Botnet

us

C2

94.130.222.120:29240

Attributes

auth_value
521267bd2f00cb305e87075b05d009f9

Extracted

Family

redline

Botnet

MixW

C2

94.130.222.120:29240

Attributes

auth_value
13e177d0765ee6b55bd8c1f11560c773

Targets

- Target
  
  f13899dec145e83e8a1a7ee5be6fca18a24461d60bddd388c121d76c53eced90
- Size
  
  2.2MB
- MD5
  
  1f8f8cc2fb5c5e5af84558cdf927205c
- SHA1
  
  7a4ab20469c3e0054e9dacf84a8157fcccf4e59d
- SHA256
  
  f13899dec145e83e8a1a7ee5be6fca18a24461d60bddd388c121d76c53eced90
- SHA512
  
  4a5a5e2fb4505d16c3746a27839f5b72f8c17f4e1d88a10d4d52fff0b7e9c0de73ed2d6551dad3b621e1a378fae92591ca55745d93cd8b0fa127e38fd12f14af
Score

10^/10

redline smokeloader mixw us backdoor evasion infostealer suricata trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata
- suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1