redline

General

Target

ebf30034ebe98a4f2c59959c91735f160fdf1faf0f75f8cada28c1d18e1f01f6
Size

187KB
Sample

220923-q892kaaden
MD5

dd59e1310a3921873b133d6d32ea6c71
SHA1

0def7a15a3da6f4fcfbac87776522606fd8f9d82
SHA256

ebf30034ebe98a4f2c59959c91735f160fdf1faf0f75f8cada28c1d18e1f01f6
SHA512

1b75d64b2692bf07f7f6c01d35054840c3ca69f0465b25cd50444d1a2d7bf4d7a9da95580fccd684bd4a4cc27f1a13f09ea57a79fc80e60ad934a5eefbb5567d
SSDEEP

3072:zBOFQhmALrG4wHG5g10vNkN0MxxosuVPanK0JM02snBGBx5a84GS/PkK4n:tbLDwHRiNkzxvKqTw5iG

Score

10^/10

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

C2

77.73.134.27:8163

Attributes

auth_value
56c6f7b9024c076f0a96931453da7e56

Targets

- Target
  
  ebf30034ebe98a4f2c59959c91735f160fdf1faf0f75f8cada28c1d18e1f01f6
- Size
  
  187KB
- MD5
  
  dd59e1310a3921873b133d6d32ea6c71
- SHA1
  
  0def7a15a3da6f4fcfbac87776522606fd8f9d82
- SHA256
  
  ebf30034ebe98a4f2c59959c91735f160fdf1faf0f75f8cada28c1d18e1f01f6
- SHA512
  
  1b75d64b2692bf07f7f6c01d35054840c3ca69f0465b25cd50444d1a2d7bf4d7a9da95580fccd684bd4a4cc27f1a13f09ea57a79fc80e60ad934a5eefbb5567d
- SSDEEP
  
  3072:zBOFQhmALrG4wHG5g10vNkN0MxxosuVPanK0JM02snBGBx5a84GS/PkK4n:tbLDwHRiNkzxvKqTw5iG
Score

10^/10

redline smokeloader tofsee xmrig logsdiller cloud (sup: @mr_golds)backdoor discovery evasion infostealer miner persistence spyware stealer trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1