Overview

overview

10

Static

static

e9f8b31630...dd.exe

windows7-x64

10

e9f8b31630...dd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e9f8b316306170264c2640f235e5d7dd2470d74123566509d7a21984778720dd

  • Size

    139KB

  • Sample

    221225-14fx2afc8z

  • MD5

    682a4cc5de83b7c3d59c80745c1f2665

  • SHA1

    0e4296be37d7bf96ff21503063ef0128326629a8

  • SHA256

    919e028e6404fd8b902500a8b28387b2d336fe80ab1a0b3ba9924468a4aee0e2

  • SHA512

    c0785451674919bea22d2e7514e113962ba3ddf8ae05af421a4833e3c4b0c95788607a3010a44f4bfb36b3aca6604141a6c71b801604bfacf6c4a88dc76252c6

  • SSDEEP

    3072:WszyILGLSR4CP6R/DVM/UHUU3UD/Nb9+XuwdoqhTq/0qU4:WmEM4H/lUU3UD/Nb9++wm2I0Q

Score
10/10
redlinesmokeloader11backdoorinfostealerspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes
  • auth_value

    107e09eee63158d2488feb03dac75204

Targets

    • Target

      e9f8b316306170264c2640f235e5d7dd2470d74123566509d7a21984778720dd

    • Size

      231KB

    • MD5

      ff58b2c40941c7066739fe425f01d928

    • SHA1

      ea2044c506fcea503f82fe1bc74c031db636aa59

    • SHA256

      e9f8b316306170264c2640f235e5d7dd2470d74123566509d7a21984778720dd

    • SHA512

      e42721c6062dc72d5f6141a4bc21140e571259b97443a306debdaea72864d452c8b04429d66743db6915af57ce2ddcff352fe4962fe0eb2ef9b109237502d6a7

    • SSDEEP

      3072:c5d+LO82n5TfpgX4h2XVCkFLq5c6Ka8tJ/OkZFw7RkxmJZs:cWLp2BOFCkFu57iJ/OkrGymI

    Score
    10/10
    smokeloaderbackdoortrojanredline11infostealerspyware

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks