redline | 2123f46b435c2e8765a882624a35060d86226424c97a2b2a9edad4b75bd0ba3f | Triage

Resubmissions

17-10-2022 14:20

221017-rnkfvacaf6 10

15-10-2022 17:37

221015-v65raafhaq 10

Sharing

General

Target

ab606f1f97bbc65edd55952a2daf2252.exe
Size

213KB
Sample

221015-v65raafhaq
MD5

ab606f1f97bbc65edd55952a2daf2252
SHA1

1ec0354c1f2a2ef61f3193511ea172f947734b13
SHA256

2123f46b435c2e8765a882624a35060d86226424c97a2b2a9edad4b75bd0ba3f
SHA512

483f86ad28e5c61a52eb8d874d82fbe559f3386b189b5e856fd5fabf9ad3fa604790828164e4e6249462fefb7183ee1f9f4a3ab93166501f29e740510eaafdac
SSDEEP

6144:Tv2LdFDqNR8H1N108GtQlOM0d80N6tzOZ:Tv2BFDqNRMN108iQlOxN6ROZ

Score

10^/10

redline smokeloader 535 backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

535

C2

45.15.156.26:2794

Attributes

auth_value
e7680eed1ef96d61de0f4c54c7c5a594

Targets

- Target
  
  ab606f1f97bbc65edd55952a2daf2252.exe
- Size
  
  213KB
- MD5
  
  ab606f1f97bbc65edd55952a2daf2252
- SHA1
  
  1ec0354c1f2a2ef61f3193511ea172f947734b13
- SHA256
  
  2123f46b435c2e8765a882624a35060d86226424c97a2b2a9edad4b75bd0ba3f
- SHA512
  
  483f86ad28e5c61a52eb8d874d82fbe559f3386b189b5e856fd5fabf9ad3fa604790828164e4e6249462fefb7183ee1f9f4a3ab93166501f29e740510eaafdac
- SSDEEP
  
  6144:Tv2LdFDqNR8H1N108GtQlOM0d80N6tzOZ:Tv2BFDqNRMN108iQlOxN6ROZ
Score

10^/10

smokeloader backdoor trojan redline 535 discovery infostealer spyware stealer
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Web Service

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

redlinesmokeloader535backdoordiscoveryinfostealerspywarestealertrojan