redline | 82a1237757d0bcf50e1dda34b1f72704a35a6e892ecf882fda6d2cdd63039c21 | Triage

Submit
Reports

Overview

overview

Static

static

4

Installer ...ll.exe

windows10-2004-x64

Sharing

General

Target

Installer windows.zip
Size

2.8MB
Sample

220916-lzsnpsahhn
MD5

d2b6856cbfc3a959358befee472cdaee
SHA1

a86e6c6dae5bff07187289a9d702b3e20ac7e966
SHA256

82a1237757d0bcf50e1dda34b1f72704a35a6e892ecf882fda6d2cdd63039c21
SHA512

f494c506f5c213a2363540d39b0670b885316aad20720fc0139e1c7ba4a28d1b45684c8e97c75f715ce82ddee2b460a9fe7b1a0e2ea3c4de85085934fbd2cd69
SSDEEP

49152:XcTsZuNUThOAes27dMlTohAcD+CeHhsm9g/gXrU:MTSkphOHdjmm95bU

Score

10^/10

redline smokeloader me backdoor discovery infostealer link pdf persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Installer windows/Settup-Install.exe

Resource

win10v2004-20220901-en

redline smokeloader me backdoor discovery infostealer persistence spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

me

C2

92.119.112.239:22628

Attributes

auth_value
0b41ed1bdf04c7505d47398771081370

Targets

- Target
  
  Installer windows/Settup-Install.exe
- Size
  
  668.1MB
- MD5
  
  5f86a7be850ceace8b3592506b44b82e
- SHA1
  
  d1fa5b683abeb53019c6236fa55e69987a86d321
- SHA256
  
  7e7e5dfd5a764724f9a653dee16b4371708dd6e6d5f42e0663b48208c6a63bb6
- SHA512
  
  77fdda3c460be63f291d73026a6a9b9a19abd809a7874b211ef7e5dbd774bcd1366264a2210fc2987b8d708a0d5d41c4962354defefcdbcc734865d6c568170e
- SSDEEP
  
  3072:ivGyYiSDnt12q5hOL5PFn0wcccccccc5hX:m4Gg0PFn0wcccccccc
Score

10^/10

redline smokeloader me backdoor discovery infostealer persistence spyware stealer trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redlinesmokeloadermebackdoordiscoveryinfostealerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy