redline | ac4ac9ae95f9b2b20f7b096d3b6ade8cb40a476ffe5567c0fca714ea6c05a8ae | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

ac4ac9ae95f9b2b20f7b096d3b6ade8cb40a476ffe5567c0fca714ea6c05a8ae
Size

280KB
Sample

220922-yblxgacca9
MD5

2d78e577e1d23eabb3a50b6db212b52e
SHA1

f488354e34b96053c9ff0b14dbef22e953bce5d9
SHA256

ac4ac9ae95f9b2b20f7b096d3b6ade8cb40a476ffe5567c0fca714ea6c05a8ae
SHA512

4886732e3a00347852fd5643cd710af914675a7fc521895dc6089f8d1d029baae6e3ff9e97251ea77ab544ffe6e618eee64baad152f9a1f9c86c120cbc8216cb
SSDEEP

6144:+WtYjXbvL4sz+kO5DLy2Bv0B/OEigavwVfgD:+WtUrvz+kOVLy2eB/aT

Score

10^/10

redline smokeloader tofsee logsdiller cloud (sup: @mr_golds)backdoor evasion infostealer persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

ac4ac9ae95f9b2b20f7b096d3b6ade8cb40a476ffe5567c0fca714ea6c05a8ae.exe

Resource

win10v2004-20220812-en

redline smokeloader tofsee logsdiller cloud (sup: @mr_golds)backdoor evasion infostealer persistence spyware trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

C2

77.73.134.27:8163

Attributes

auth_value
56c6f7b9024c076f0a96931453da7e56

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  ac4ac9ae95f9b2b20f7b096d3b6ade8cb40a476ffe5567c0fca714ea6c05a8ae
- Size
  
  280KB
- MD5
  
  2d78e577e1d23eabb3a50b6db212b52e
- SHA1
  
  f488354e34b96053c9ff0b14dbef22e953bce5d9
- SHA256
  
  ac4ac9ae95f9b2b20f7b096d3b6ade8cb40a476ffe5567c0fca714ea6c05a8ae
- SHA512
  
  4886732e3a00347852fd5643cd710af914675a7fc521895dc6089f8d1d029baae6e3ff9e97251ea77ab544ffe6e618eee64baad152f9a1f9c86c120cbc8216cb
- SSDEEP
  
  6144:+WtYjXbvL4sz+kO5DLy2Bv0B/OEigavwVfgD:+WtUrvz+kOVLy2eB/aT
Score

10^/10

redline smokeloader tofsee logsdiller cloud (sup: @mr_golds)backdoor evasion infostealer persistence spyware trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinesmokeloadertofseelogsdiller cloud (sup: @mr_golds)backdoorevasioninfostealerpersistencespywaretrojan

© 2018-2024

Terms | Privacy