General

  • Target

    279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80

  • Size

    232KB

  • Sample

    221226-gbslksff7t

  • MD5

    1771c07026a2874ec2b2364ea82c460a

  • SHA1

    d5fa05499777f0206a0a1180f3c2e481e6c2ea4d

  • SHA256

    279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80

  • SHA512

    78c594f2c4d8de0f5dace04e0be184040b585243092e71ebd705c056502fc008b9b45eff735fb6283f4e08379041d4719b3424fdf6cb536ea13f7a76e4484e11

  • SSDEEP

    3072:gkGUbxLk7u5RTewCiVvMwwF/VuiHoglS1g/tK8NwxgcPLrcSb54VIcVTuh:gWLk7pwuw4umtK8N1c7bIr

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes
  • auth_value

    107e09eee63158d2488feb03dac75204

Targets

    • Target

      279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80

    • Size

      232KB

    • MD5

      1771c07026a2874ec2b2364ea82c460a

    • SHA1

      d5fa05499777f0206a0a1180f3c2e481e6c2ea4d

    • SHA256

      279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80

    • SHA512

      78c594f2c4d8de0f5dace04e0be184040b585243092e71ebd705c056502fc008b9b45eff735fb6283f4e08379041d4719b3424fdf6cb536ea13f7a76e4484e11

    • SSDEEP

      3072:gkGUbxLk7u5RTewCiVvMwwF/VuiHoglS1g/tK8NwxgcPLrcSb54VIcVTuh:gWLk7pwuw4umtK8N1c7bIr

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks