redline

General

Target

0dcb665bf83e5de02dac89f4c72741b5330fa15bd8bb45508a756d9d6f5f3a72
Size

196KB
Sample

220924-r1nc9scgem
MD5

4ea72ef5197e09f791cd631d52fc897b
SHA1

16a03d022b4b40919e54952e8ad0f697ed69881e
SHA256

0dcb665bf83e5de02dac89f4c72741b5330fa15bd8bb45508a756d9d6f5f3a72
SHA512

f6755e88cdecd4e96b4dc2595ed67b9cc69a9ce319c203d55de14eedb032014e8e24ba2f193cf07958bbf43321b525c7fdd7c1e46cb5e1fe3b5543bc120578da
SSDEEP

3072:tAq9LyJz0RGb5QkjvOk8Hsg+UIBLWu3utc/Pkk4x:hLm0nkj+Da3

Score

10^/10

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @me_golds)

C2

77.73.134.27:7161

Attributes

auth_value
e136da06c7c0400f4091dab1787720ea

Extracted

Family

vidar

Version

54.6

Botnet

1684

C2

https://t.me/huobiinside

https://mas.to/@kyriazhs1975

Attributes

profile_id
1684

Targets

- Target
  
  0dcb665bf83e5de02dac89f4c72741b5330fa15bd8bb45508a756d9d6f5f3a72
- Size
  
  196KB
- MD5
  
  4ea72ef5197e09f791cd631d52fc897b
- SHA1
  
  16a03d022b4b40919e54952e8ad0f697ed69881e
- SHA256
  
  0dcb665bf83e5de02dac89f4c72741b5330fa15bd8bb45508a756d9d6f5f3a72
- SHA512
  
  f6755e88cdecd4e96b4dc2595ed67b9cc69a9ce319c203d55de14eedb032014e8e24ba2f193cf07958bbf43321b525c7fdd7c1e46cb5e1fe3b5543bc120578da
- SSDEEP
  
  3072:tAq9LyJz0RGb5QkjvOk8Hsg+UIBLWu3utc/Pkk4x:hLm0nkj+Da3
Score

10^/10

redline smokeloader tofsee vidar xmrig 1684 logsdiller cloud (tg: @me_golds)backdoor discovery evasion infostealer miner persistence spyware stealer trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1