redline | e3a9da83120254b2273e120609a4e2d0d9b7aa5e598f391f272f582388d7e314 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b
Size

137KB
Sample

230102-ylsg1abb9z
MD5

e2e7561072d09f1a5196f28d910958dd
SHA1

7dea3eb2427935b09ddae8eb33a424dca425223b
SHA256

e3a9da83120254b2273e120609a4e2d0d9b7aa5e598f391f272f582388d7e314
SHA512

d66178dcbded3734ce71385c6178a51b23da215826b11ef590529fb368f9ca9d523387d6d04360493b8e93a3473bb52d6a99ffa1737b927fddefce759a7f99d6
SSDEEP

3072:i4L5FKhuIZyAoDuJ+yEtoFkm8tg7F2C97kEEg67cOS5gx:RL5Fheq+FAqhXYEG79S+x

Score

10^/10

redline smokeloader @zallllis backdoor infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

@zallllis

C2

45.15.157.136:7429

Attributes

auth_value
819f274cbc0e7c8d89e811e4a9877964

Targets

- Target
  
  f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b
- Size
  
  211KB
- MD5
  
  442a961c402c10cfcb06345f3173ed09
- SHA1
  
  a91888e4f4e121a47ba6bd1565dc5d89d7ae6ddd
- SHA256
  
  f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b
- SHA512
  
  3ad169a651bcb9a783ae8a163c4b84d0a7dec7151044e2b58aa56d30fce5d0092876144eb9d95c2cc717af831f3421ca1913f49dee33bb825983b6ce914e5b86
- SSDEEP
  
  3072:jWXZtvO4LNyNGrIU56U9g75KIIff6m8tg7F2C97kEEg67csRDIdQPjW6:6rhLtsvU9FRXKqhXYEG7xRfP/
Score

10^/10

smokeloader backdoor trojan redline @zallllis infostealer spyware
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Web Service

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

redlinesmokeloader@zallllisbackdoorinfostealerspywaretrojan