redline | 00c8ffc1ade615e0b77bf9ad90f5d55770c243626e41dcd68e948c3742915df4 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

00c8ffc1ade615e0b77bf9ad90f5d55770c243626e41dcd68e948c3742915df4
Size

147KB
Sample

221001-whsbqaadgr
MD5

9d1d5c4ad713a62aa923df3be73eb39c
SHA1

a9cfba2b758dd58ab10dc971176cdae1267f0b73
SHA256

00c8ffc1ade615e0b77bf9ad90f5d55770c243626e41dcd68e948c3742915df4
SHA512

d4bed992975902876d3620b5d2712d63f2b9445ae8851d9cdd965eae258db0f60885e1d0d0ff209bc33a8abcb08c9b157c635bf6ae8706f6600df32ff09d2186
SSDEEP

3072:ZPBhm4LNGRNZU14yX+v+IEKpGyDzSwHS:R/LKj9WMsyPSwy

Score

10^/10

redline smokeloader inslab26 backdoor discovery infostealer pyinstaller spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

00c8ffc1ade615e0b77bf9ad90f5d55770c243626e41dcd68e948c3742915df4.exe

Resource

win10-20220901-en

redline smokeloader inslab26 backdoor discovery infostealer pyinstaller spyware stealer trojan

windows10-1703-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

inslab26

C2

185.182.194.25:8251

Attributes

auth_value
7c9cbd0e489a3c7fd31006406cb96f5b

Targets

- Target
  
  00c8ffc1ade615e0b77bf9ad90f5d55770c243626e41dcd68e948c3742915df4
- Size
  
  147KB
- MD5
  
  9d1d5c4ad713a62aa923df3be73eb39c
- SHA1
  
  a9cfba2b758dd58ab10dc971176cdae1267f0b73
- SHA256
  
  00c8ffc1ade615e0b77bf9ad90f5d55770c243626e41dcd68e948c3742915df4
- SHA512
  
  d4bed992975902876d3620b5d2712d63f2b9445ae8851d9cdd965eae258db0f60885e1d0d0ff209bc33a8abcb08c9b157c635bf6ae8706f6600df32ff09d2186
- SSDEEP
  
  3072:ZPBhm4LNGRNZU14yX+v+IEKpGyDzSwHS:R/LKj9WMsyPSwy
Score

10^/10

redline smokeloader inslab26 backdoor discovery infostealer pyinstaller spyware stealer trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redlinesmokeloaderinslab26backdoordiscoveryinfostealerpyinstallerspywarestealertrojan

© 2018-2024

Terms | Privacy