redline

General

Target

f5b987cedc36ad0095ad11330bee082cafeb1fe60caba34c089021f4ffbb16b0
Size

186KB
Sample

221123-kb93eacc2z
MD5

a318980ea14f27777c366804d2ef9a5d
SHA1

4ec4701c118b0783ea54674657bbc97abd28c7c0
SHA256

f5b987cedc36ad0095ad11330bee082cafeb1fe60caba34c089021f4ffbb16b0
SHA512

95392578596cfdbba19d172b5b758220343be3ea53f3d38f21c9cd60d44932ce29bcabfda3738c0ea214d6ff48a657aa32f7ab7df44946bd4abfa67e72ebb845
SSDEEP

3072:xBIENGVfuKLht1WG/D5TJzhmSbHZtH45/GsOm4LUP8e:YEorLht1hBJzhNb3W/GxmlP8e

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes

auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Extracted

Family

redline

C2

185.215.113.83:60722

Attributes

auth_value
674feb1d15af397f9322eb62587035b3

Extracted

Family

redline

Botnet

NanoID2022

C2

185.106.92.111:2510

Attributes

auth_value
d5913c276c6c8b5735246051bef9a412

Targets

- Target
  
  f5b987cedc36ad0095ad11330bee082cafeb1fe60caba34c089021f4ffbb16b0
- Size
  
  186KB
- MD5
  
  a318980ea14f27777c366804d2ef9a5d
- SHA1
  
  4ec4701c118b0783ea54674657bbc97abd28c7c0
- SHA256
  
  f5b987cedc36ad0095ad11330bee082cafeb1fe60caba34c089021f4ffbb16b0
- SHA512
  
  95392578596cfdbba19d172b5b758220343be3ea53f3d38f21c9cd60d44932ce29bcabfda3738c0ea214d6ff48a657aa32f7ab7df44946bd4abfa67e72ebb845
- SSDEEP
  
  3072:xBIENGVfuKLht1WG/D5TJzhmSbHZtH45/GsOm4LUP8e:YEorLht1hBJzhNb3W/GxmlP8e
Score

10^/10

redline smokeloader kript nanoid2022 backdoor discovery infostealer spyware stealer trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1