redline | d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac
Size

133KB
Sample

221003-j2364sgadj
MD5

0d59da753eee30ad352124c93782737e
SHA1

2575a6af11cb0572bb6bd9953206678762b29ac7
SHA256

d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac
SHA512

67dcfc8066f1f0f320e534df0a6b147eb1709cc6dc45cd77688548f986c9a257c2152ee420dfa46eb418cded18bbc175a4d2ef76f8dedc09474cadead237a5ac
SSDEEP

3072:gBvfopOR0GaD09KE1alT/F0OOGEveofqikGLueU:gMWJAlT/y1WTeU

Score

10^/10

redline smokeloader 1200654767 backdoor infostealer spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac.exe

Resource

win10-20220901-en

redline smokeloader 1200654767 backdoor infostealer spyware trojan

windows10-1703-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

1200654767

C2

79.137.192.6:8362

Targets

- Target
  
  d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac
- Size
  
  133KB
- MD5
  
  0d59da753eee30ad352124c93782737e
- SHA1
  
  2575a6af11cb0572bb6bd9953206678762b29ac7
- SHA256
  
  d5e5f7d079b216078282d955c2d625bda28ca2a4de774a46ab571c388d897dac
- SHA512
  
  67dcfc8066f1f0f320e534df0a6b147eb1709cc6dc45cd77688548f986c9a257c2152ee420dfa46eb418cded18bbc175a4d2ef76f8dedc09474cadead237a5ac
- SSDEEP
  
  3072:gBvfopOR0GaD09KE1alT/F0OOGEveofqikGLueU:gMWJAlT/y1WTeU
Score

10^/10

redline smokeloader 1200654767 backdoor infostealer spyware trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redlinesmokeloader1200654767backdoorinfostealerspywaretrojan

© 2018-2024

Terms | Privacy