redline | baff04e584c5a8c34b7b9a9a2a621a23227c709d8e5f352e5a24e8522df5a299 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

baff04e584c5a8c34b7b9a9a2a621a23227c709d8e5f352e5a24e8522df5a299
Size

152KB
Sample

221113-1swjcagd3y
MD5

e8e6a8ada863676e7c4cf726bf49639a
SHA1

a7608253e5f79f7707f0caaff56cbc00ec08c9aa
SHA256

baff04e584c5a8c34b7b9a9a2a621a23227c709d8e5f352e5a24e8522df5a299
SHA512

a4070610e743398eda79c38e0a4453f5d03647e2223ec1b4a05631258b321dd1c85f1c1b3a24857c83d8c9f67eacf9f2a3dc4ee532450064d3543c641263f22e
SSDEEP

3072:ovDLOGmOQDS5xl55pNSspSz+/YN/dJMXCEes/dRA:0LOGmOQWl5bQ0E+/+/AF/z

Score

10^/10

redline smokeloader google2 backdoor infostealer spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

baff04e584c5a8c34b7b9a9a2a621a23227c709d8e5f352e5a24e8522df5a299.exe

Resource

win10-20220812-en

redline smokeloader google2 backdoor infostealer spyware trojan

windows10-1703-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

Google2

C2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Targets

- Target
  
  baff04e584c5a8c34b7b9a9a2a621a23227c709d8e5f352e5a24e8522df5a299
- Size
  
  152KB
- MD5
  
  e8e6a8ada863676e7c4cf726bf49639a
- SHA1
  
  a7608253e5f79f7707f0caaff56cbc00ec08c9aa
- SHA256
  
  baff04e584c5a8c34b7b9a9a2a621a23227c709d8e5f352e5a24e8522df5a299
- SHA512
  
  a4070610e743398eda79c38e0a4453f5d03647e2223ec1b4a05631258b321dd1c85f1c1b3a24857c83d8c9f67eacf9f2a3dc4ee532450064d3543c641263f22e
- SSDEEP
  
  3072:ovDLOGmOQDS5xl55pNSspSz+/YN/dJMXCEes/dRA:0LOGmOQWl5bQ0E+/+/AF/z
Score

10^/10

redline smokeloader google2 backdoor infostealer spyware trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinesmokeloadergoogle2backdoorinfostealerspywaretrojan

© 2018-2024

Terms | Privacy