redline | c1a44c5979923bc47730689584d1a8809afd07fd1550bbabee6f231aebb76ac2 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

c1a44c5979923bc47730689584d1a8809afd07fd1550bbabee6f231aebb76ac2
Size

148KB
Sample

221127-hsxsasge37
MD5

a7b9f9eefb808b9e695016812bb17984
SHA1

e7f86e5fa85b2a6d9596c5f5e8cd9c5bc9951b6f
SHA256

c1a44c5979923bc47730689584d1a8809afd07fd1550bbabee6f231aebb76ac2
SHA512

e191965e4718c1908cf9769c18ba1c0622b7510e28304fef3a72c1d9425f4b358be4b4fdb5ab731cbba35346a058466087c2e8ea72b5c3ad17e65d3a396d0cbf
SSDEEP

3072:TtRzU0DzjnzJCB5BMWTkyzgE6OnAF00PH6beSLwlJ:ntzzzJOTkyXH8H6yfL

Score

10^/10

redline smokeloader kript newlogs backdoor infostealer spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

c1a44c5979923bc47730689584d1a8809afd07fd1550bbabee6f231aebb76ac2.exe

Resource

win10-20220901-en

redline smokeloader kript newlogs backdoor infostealer spyware stealer trojan

windows10-1703-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

newlogs

C2

77.73.133.70:38819

Attributes

auth_value
05a73a1692c3aebb2a26f1a593237a77

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes

auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Targets

- Target
  
  c1a44c5979923bc47730689584d1a8809afd07fd1550bbabee6f231aebb76ac2
- Size
  
  148KB
- MD5
  
  a7b9f9eefb808b9e695016812bb17984
- SHA1
  
  e7f86e5fa85b2a6d9596c5f5e8cd9c5bc9951b6f
- SHA256
  
  c1a44c5979923bc47730689584d1a8809afd07fd1550bbabee6f231aebb76ac2
- SHA512
  
  e191965e4718c1908cf9769c18ba1c0622b7510e28304fef3a72c1d9425f4b358be4b4fdb5ab731cbba35346a058466087c2e8ea72b5c3ad17e65d3a396d0cbf
- SSDEEP
  
  3072:TtRzU0DzjnzJCB5BMWTkyzgE6OnAF00PH6beSLwlJ:ntzzzJOTkyXH8H6yfL
Score

10^/10

redline smokeloader kript newlogs backdoor infostealer spyware stealer trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Web Service

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

redlinesmokeloaderkriptnewlogsbackdoorinfostealerspywarestealertrojan

© 2018-2024

Terms | Privacy