General

  • Target

    8dd5ec6332a698f00b2feb4b74fcf185a6905bce3e18bd998d1ea8ba0e354525

  • Size

    139KB

  • Sample

    221225-s3ve2aeg7y

  • MD5

    79f6b3babf65a0433b7a1ef841ad54aa

  • SHA1

    3ecd10d512acf3082630721c231dcd93f9addd02

  • SHA256

    f79cdf6573dd3b3b9cf8ec5705565617b0f43fa568527175de410f86a3a4aa70

  • SHA512

    245474af87fca6c75c607bdb70e9a97610fd4a097988f2d23d681629cc2cf96470e6e38e9bfbd1c5cd8aff08bc24a7e38513b08156c32fe58e5f402358e22867

  • SSDEEP

    3072:4yr8bcUau0ECFIV10+RVyh31b+JkqVeTfpTxpDZPy5g:4x6BF+0ek6JFeTfpp6O

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes
  • auth_value

    107e09eee63158d2488feb03dac75204

Targets

    • Target

      8dd5ec6332a698f00b2feb4b74fcf185a6905bce3e18bd998d1ea8ba0e354525

    • Size

      231KB

    • MD5

      eabaf86be2fa999dfada34f3c9e53c99

    • SHA1

      6a41e2a4452a19631b9ccac17496df40f867f6ec

    • SHA256

      8dd5ec6332a698f00b2feb4b74fcf185a6905bce3e18bd998d1ea8ba0e354525

    • SHA512

      c87b2ef8f7a914185f96836c6a5f6c36d3c3ebb771e934f81d4119df8659e3301775ae4bd59215817c11676ddffb221b7793802ebff7f8124f26058a10556f38

    • SSDEEP

      3072:TFciL5TkXE5HLjQO69QHD/PjoZBFp50dtJ//894w7RkxmJZs:T/L54XILkbQgZjkrJ/kmGymI

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks