redline | 4911e25310acfe3efe4ed72720cdfe857a33dc6c0dbaf94120858aedae58baf4 | Triage

Submit
Reports

Overview

overview

Static

static

4e6dadb370...bb.exe

windows7-x64

4e6dadb370...bb.exe

windows10-2004-x64

Sharing

General

Target

4e6dadb3701fb6431d2285a3738cd0bb.exe
Size

133KB
Sample

221003-jzfm2afhbn
MD5

4e6dadb3701fb6431d2285a3738cd0bb
SHA1

9ba8296081681f022deeaa85f5cd4cf4f91e1508
SHA256

4911e25310acfe3efe4ed72720cdfe857a33dc6c0dbaf94120858aedae58baf4
SHA512

f13994d7d40a9398969404d48608c8baee92e3cfd99222a49a203f0ea72f69c95896a244f876fab1b1fc06d5060090f335fa6e2f7989789da1692d2ddf632304
SSDEEP

3072:xDzVnRiCmX3KSqkhXieJe9mXM+lgH+tbNuOT:aX3e3+E+1NH

Score

10^/10

redline smokeloader 1200654767 backdoor infostealer persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

4e6dadb3701fb6431d2285a3738cd0bb.exe

Resource

win7-20220812-en

smokeloader backdoor trojan

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

4e6dadb3701fb6431d2285a3738cd0bb.exe

Resource

win10v2004-20220812-en

redline smokeloader 1200654767 backdoor infostealer persistence spyware trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

1200654767

C2

79.137.192.6:8362

Targets

- Target
  
  4e6dadb3701fb6431d2285a3738cd0bb.exe
- Size
  
  133KB
- MD5
  
  4e6dadb3701fb6431d2285a3738cd0bb
- SHA1
  
  9ba8296081681f022deeaa85f5cd4cf4f91e1508
- SHA256
  
  4911e25310acfe3efe4ed72720cdfe857a33dc6c0dbaf94120858aedae58baf4
- SHA512
  
  f13994d7d40a9398969404d48608c8baee92e3cfd99222a49a203f0ea72f69c95896a244f876fab1b1fc06d5060090f335fa6e2f7989789da1692d2ddf632304
- SSDEEP
  
  3072:xDzVnRiCmX3KSqkhXieJe9mXM+lgH+tbNuOT:aX3e3+E+1NH
Score

10^/10

smokeloader backdoor trojan redline 1200654767 infostealer persistence spyware
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

redlinesmokeloader1200654767backdoorinfostealerpersistencespywaretrojan

© 2018-2024

Terms | Privacy