redline

General

Target

0413cd47fc3feec56b1de4491071ad14f2025487143821a34694867e31520494
Size

200KB
Sample

220925-gdv5gsegbr
MD5

42bc7169cb277afe6629e5802a97d285
SHA1

85b6d767deeb0b6426381b740ca739d85d1bad77
SHA256

0413cd47fc3feec56b1de4491071ad14f2025487143821a34694867e31520494
SHA512

9dd773823b2ca2a791095366f6e7c433bd3433cfd18b27d2544a85366d25ea964e636b89e86f844fb9585edb9509af980124ab71d6fc9ba1cf023344431ade56
SSDEEP

3072:DZtavYRl5L+louhdD+qojkN5b61Ys10Atl4Ii22VSb9Btb0/PkIXx:FLidz3+l4IifVSbt

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @me_golds)

C2

77.73.134.27:7161

Attributes

auth_value
e136da06c7c0400f4091dab1787720ea

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  0413cd47fc3feec56b1de4491071ad14f2025487143821a34694867e31520494
- Size
  
  200KB
- MD5
  
  42bc7169cb277afe6629e5802a97d285
- SHA1
  
  85b6d767deeb0b6426381b740ca739d85d1bad77
- SHA256
  
  0413cd47fc3feec56b1de4491071ad14f2025487143821a34694867e31520494
- SHA512
  
  9dd773823b2ca2a791095366f6e7c433bd3433cfd18b27d2544a85366d25ea964e636b89e86f844fb9585edb9509af980124ab71d6fc9ba1cf023344431ade56
- SSDEEP
  
  3072:DZtavYRl5L+louhdD+qojkN5b61Ys10Atl4Ii22VSb9Btb0/PkIXx:FLidz3+l4IifVSbt
Score

10^/10

redline smokeloader tofsee xmrig logsdiller cloud (tg: @me_golds)backdoor collection evasion infostealer miner persistence spyware trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1