General

  • Target

    bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26

  • Size

    139KB

  • Sample

    221225-1a7hwscb35

  • MD5

    f0e970cacc1279501deb0beadadd84ad

  • SHA1

    be76d5dbfa35cb21be33ef802fc4586447f8c129

  • SHA256

    892d50a163bac4073235a46a2f7b713e65c24f3dbcc77d830a2f327c52241a3a

  • SHA512

    e242d3e96020fd63c6392d6449a7ad8ad6b3fa80e296adbfc808bcffaaa06d6213ebdd3f425248da0964b66b8fef89dc7b3f0e57a5da0d4fe554e374b569ad6a

  • SSDEEP

    3072:p2IgLk2F014lAeupTZqTE8wZhJMAqkbeJ7aj3D:p23l+1YAPTNJneJ7a

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes
  • auth_value

    107e09eee63158d2488feb03dac75204

Targets

    • Target

      bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26

    • Size

      231KB

    • MD5

      a5f5f37a1847dfb887afe130c5838633

    • SHA1

      3ffdfe8a0a11303521f287888e0b8669d88433da

    • SHA256

      bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26

    • SHA512

      ffb2e678256ea987eb2c462df2bf4f4e04958bcd37d56a717290da6dc1c12061f84f8b6f303aa593191b15c463a4650962e1d0cadfca5f64b02c73af215cceb7

    • SSDEEP

      3072:Rbud1LNTJc5Hm7Gs4V2GEl6pAT23tJ/NewSw7RkxmJZs:R4LVJom7DGndJ/EDGymI

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation

                  Tasks