redline | bc6d40e9efb4a2acb018e06e50627e9d1cfd4a90f9e1e68a9e6e7c77662008a2 | Triage

Submit
Reports

Overview

overview

Static

static

cennik listopad.exe

windows7-x64

cennik listopad.exe

windows10-2004-x64

Sharing

General

Target

bc6d40e9efb4a2acb018e06e50627e9d1cfd4a90f9e1e68a9e6e7c77662008a2
Size

1.7MB
Sample

221013-p4hk3seef8
MD5

930a05d9fe202c77ac8546397129592d
SHA1

d2376487d8114ae3383c1e7ebf35eda9b6619d4e
SHA256

bc6d40e9efb4a2acb018e06e50627e9d1cfd4a90f9e1e68a9e6e7c77662008a2
SHA512

5621d1c8f4b136aca3d008aaad47040cc3b4f4522e280a69304145db886b847f89a3cd216b390dd110dee68652c4b93912c6f2dacf8ed167c215fb940f4b6af6
SSDEEP

24576:kUo5FRdHL/zMlL3m99Q6ebefoxvHCzSB1lyKLssCJ8TwIIe6EbOkQZ9n4fnySc5:kUo5t799QZTlCzSBSkPIuQ/nQc5

Score

10^/10

redline smokeloader v1 backdoor infostealer persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

cennik listopad.exe

Resource

win7-20220901-en

redline v1 infostealer persistence

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

cennik listopad.exe

Resource

win10v2004-20220901-en

redline smokeloader v1 backdoor infostealer persistence trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

V1

C2

45.150.64.103:42708

Attributes

auth_value
ac1e00fc097456e8b89d9ee9bf0f280b

Targets

- Target
  
  cennik listopad.exe
- Size
  
  668.1MB
- MD5
  
  aa3934d779b55a03273b3b68ea25f2fe
- SHA1
  
  9489523bdd6555cf5eff1f0afd773ed929303eae
- SHA256
  
  5b1c29a7dcf64918afe4a0254da1727588719ea1c8cb6ee20432834c362146f3
- SHA512
  
  83346493f23dc74216adc71afe9fdad19c12c8aef8cdacb8dc43fd96485feb7fe280cd7313be3a41a5be0100c0b5b9524e9c43814bb5ef67846d19d5d14a3581
- SSDEEP
  
  1536:dI47GyTGCwiSnmQUt0LB11s5gmRlmDgkBVyC8nh383NMGPBhQVPOxSwH:dvGyYiSDnt1i5FYDg4V/8n6S0Z7
Score

10^/10

redline v1 infostealer persistence smokeloader backdoor trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinev1infostealerpersistence

behavioral2

redlinesmokeloaderv1backdoorinfostealerpersistencetrojan

© 2018-2024

Terms | Privacy