Overview

overview

10

Static

static

73ec86842b...64.exe

windows7-x64

10

73ec86842b...64.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    73ec86842ba50440f5b721fc8716ba3d49ea4a5090b674c06eb7cc48e8039264

  • Size

    140KB

  • Sample

    221225-ztkb2afc3y

  • MD5

    cd0639491b472bc40d9084980b2f9d2d

  • SHA1

    65bd5fac4e9f7f25adfd7e0765823ea8eadee698

  • SHA256

    2975944701ebd8d950201449076c981f42458a1e2f5910107d3dddeab848270a

  • SHA512

    49e2a96da66f27cfd7f99d3188d9bd9d57b9ff17b9e83383a036dca64bf6d51bfb316e4f81ea2fb683297f22cd72495d144f62a6caf5645e033e758a968d9620

  • SSDEEP

    3072:hbSSXbKRuxTsftA9iGWuyegKYZKrnN2i1WY1SpvHDXmom8gNMT:hHXbKRYTsftA9iDdFZKDN2xYYHDWhTMT

Score
10/10
redlinesmokeloader11backdoorinfostealerspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes
  • auth_value

    107e09eee63158d2488feb03dac75204

Targets

    • Target

      73ec86842ba50440f5b721fc8716ba3d49ea4a5090b674c06eb7cc48e8039264

    • Size

      232KB

    • MD5

      a2f045e13b03eb529a8c4713fc96984c

    • SHA1

      e1b201aadf27806f6d997ae86311777421574748

    • SHA256

      73ec86842ba50440f5b721fc8716ba3d49ea4a5090b674c06eb7cc48e8039264

    • SHA512

      df83c3f17c5f785761cafed752b7a79481dc72cd9c55596227977603c69496b1bcd86d3888167f05ac15e5aff61b070e2437d831d2aff8236969bbb46cc02ba7

    • SSDEEP

      3072:daLaLLkd5ovlxeNhctm25IQw+EPS789RgGelS1g/tK8j62nyLZOLrcSb54VIcVTk:RLLkilxqhco+IQw+u9RgGQtK8+vwbIr

    Score
    10/10
    smokeloaderbackdoortrojanredline11infostealerspyware

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks