redline | 1d5d32418c5fe0c3d196fdf89115f606ab80a17273f3b218b9c1578001ea6aba | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

1d5d32418c5fe0c3d196fdf89115f606ab80a17273f3b218b9c1578001ea6aba
Size

239KB
Sample

230101-zj88eacf69
MD5

9e7c445d2e195c3f6994f23975c09a81
SHA1

07cddeb3a8177883de7af3ec6615dec99072cb4b
SHA256

1d5d32418c5fe0c3d196fdf89115f606ab80a17273f3b218b9c1578001ea6aba
SHA512

17f197c2c10d6256b0793752b4ef0357672647889534f982014e3617f6ddaa6c125e0d805135dba472e85ecaaf05778de98f373f2094fdc79f95c064d5e85412
SSDEEP

3072:9XR2IaLluwnbu5sItXmc34HiunhWkafoM2nvQGW7iSWt:5WLNbFwXZvAV4b7i

Score

10^/10

redline smokeloader @zallllis backdoor discovery infostealer spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

1d5d32418c5fe0c3d196fdf89115f606ab80a17273f3b218b9c1578001ea6aba.exe

Resource

win10v2004-20220812-en

redline smokeloader @zallllis backdoor discovery infostealer spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

@zallllis

C2

45.15.157.136:7429

Attributes

auth_value
819f274cbc0e7c8d89e811e4a9877964

Targets

- Target
  
  1d5d32418c5fe0c3d196fdf89115f606ab80a17273f3b218b9c1578001ea6aba
- Size
  
  239KB
- MD5
  
  9e7c445d2e195c3f6994f23975c09a81
- SHA1
  
  07cddeb3a8177883de7af3ec6615dec99072cb4b
- SHA256
  
  1d5d32418c5fe0c3d196fdf89115f606ab80a17273f3b218b9c1578001ea6aba
- SHA512
  
  17f197c2c10d6256b0793752b4ef0357672647889534f982014e3617f6ddaa6c125e0d805135dba472e85ecaaf05778de98f373f2094fdc79f95c064d5e85412
- SSDEEP
  
  3072:9XR2IaLluwnbu5sItXmc34HiunhWkafoM2nvQGW7iSWt:5WLNbFwXZvAV4b7i
Score

10^/10

redline smokeloader @zallllis backdoor discovery infostealer spyware stealer trojan
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Web Service

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

redlinesmokeloader@zallllisbackdoordiscoveryinfostealerspywarestealertrojan

© 2018-2024

Terms | Privacy