General

  • Target

    3a99389b880ae3f89214477a855bb16090ca2b50816c864527ea9bf97f1ef182

  • Size

    232KB

  • Sample

    221226-keytjscf44

  • MD5

    5e584245a4447107219c48f4d9be90af

  • SHA1

    cef0260dca891d4de275c40f091d4fed1be2cd12

  • SHA256

    3a99389b880ae3f89214477a855bb16090ca2b50816c864527ea9bf97f1ef182

  • SHA512

    c0e4a1c1f8907ba0f6e9512d5d2685e3807582b3a4a2474a9d5173891587715b363597d659c551896093fa6bc94e22f1926f86b5f59bd46509e2991bbc4ea3ab

  • SSDEEP

    3072:rNOU/Ll55hE37Bwg2PpDNj/hAvlS1g/tK8iHAaLrcSb54VIcVTuh:7LllE37Bw9xDfARtK8iHAsbIr

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes
  • auth_value

    107e09eee63158d2488feb03dac75204

Targets

    • Target

      3a99389b880ae3f89214477a855bb16090ca2b50816c864527ea9bf97f1ef182

    • Size

      232KB

    • MD5

      5e584245a4447107219c48f4d9be90af

    • SHA1

      cef0260dca891d4de275c40f091d4fed1be2cd12

    • SHA256

      3a99389b880ae3f89214477a855bb16090ca2b50816c864527ea9bf97f1ef182

    • SHA512

      c0e4a1c1f8907ba0f6e9512d5d2685e3807582b3a4a2474a9d5173891587715b363597d659c551896093fa6bc94e22f1926f86b5f59bd46509e2991bbc4ea3ab

    • SSDEEP

      3072:rNOU/Ll55hE37Bwg2PpDNj/hAvlS1g/tK8iHAaLrcSb54VIcVTuh:7LllE37Bw9xDfARtK8iHAsbIr

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks