redline | 8862f70691d3e4fd9993c7bec511b4829403f15fba9b7999708edc372da0103c | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

8862f70691d3e4fd9993c7bec511b4829403f15fba9b7999708edc372da0103c
Size

134KB
Sample

221002-q1pewshcd4
MD5

0d90cd2b626eb1e2173e0a1fc07fd113
SHA1

fbb00ad8ad06bc9286f2e49dca4d5bf1080cc23e
SHA256

8862f70691d3e4fd9993c7bec511b4829403f15fba9b7999708edc372da0103c
SHA512

4079a57b686fe5162c8cafa969469d3879196800245bc6d5f70c92d0cb8c68ca95f863debee4845a713c65c1cc94ccaab4fa32d89711fb2cc64e36b65cd3f775
SSDEEP

3072:F3i2EnRIZK6Su/IhB2lYAuqSoUWBSxRwge4Xfn/per:Bkw/Ij2YlqQWBEQ4f/pe

Score

10^/10

redline smokeloader backdoor discovery infostealer persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

8862f70691d3e4fd9993c7bec511b4829403f15fba9b7999708edc372da0103c.exe

Resource

win10-20220901-en

redline smokeloader backdoor discovery infostealer persistence spyware stealer trojan

windows10-1703-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

redline

C2

80.66.87.22:80

80.66.87.13:80

Attributes

auth_value
5b663effac3b92fe687f0181631eeff2

Targets

- Target
  
  8862f70691d3e4fd9993c7bec511b4829403f15fba9b7999708edc372da0103c
- Size
  
  134KB
- MD5
  
  0d90cd2b626eb1e2173e0a1fc07fd113
- SHA1
  
  fbb00ad8ad06bc9286f2e49dca4d5bf1080cc23e
- SHA256
  
  8862f70691d3e4fd9993c7bec511b4829403f15fba9b7999708edc372da0103c
- SHA512
  
  4079a57b686fe5162c8cafa969469d3879196800245bc6d5f70c92d0cb8c68ca95f863debee4845a713c65c1cc94ccaab4fa32d89711fb2cc64e36b65cd3f775
- SSDEEP
  
  3072:F3i2EnRIZK6Su/IhB2lYAuqSoUWBSxRwge4Xfn/per:Bkw/Ij2YlqQWBEQ4f/pe
Score

10^/10

redline smokeloader backdoor discovery infostealer persistence spyware stealer trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

redlinesmokeloaderbackdoordiscoveryinfostealerpersistencespywarestealertrojan

© 2018-2025

Terms | Privacy