redline | bb585b40a7d5f2dad95fb91e7a60881c89ecb9712882feaa330ef473f5a38cd9 | Triage

Submit
Reports

Overview

overview

Static

static

3

dridex

windows10-2004-x64

Sharing

General

Target

bb585b40a7d5f2dad95fb91e7a60881c89ecb9712882feaa330ef473f5a38cd9
Size

957KB
Sample

231101-1gerfsfb38
MD5

34f5f8d9985a9eadd72272e7abd537a7
SHA1

4d1590ea21885339979908d3add85430a2dec1aa
SHA256

bb585b40a7d5f2dad95fb91e7a60881c89ecb9712882feaa330ef473f5a38cd9
SHA512

f7ce7a7a7884e16fdbb56b536552ea5dfc835ab50e3a655007b4220c3cdbe325489b98e0a9713e050ef18ccacd614d70ec1e7d2ed0a41bb87cfdafb277a69543
SSDEEP

12288:tbcrZo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTwcRp:GrG2dAK4tf+BVHHkIoRj3cQDh

Score

10^/10

redline smokeloader grome kinza backdoor paypal infostealer persistence phishing trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bb585b40a7d5f2dad95fb91e7a60881c89ecb9712882feaa330ef473f5a38cd9.exe

Resource

win10v2004-20231023-en

redline smokeloader grome kinza backdoor paypal infostealer persistence phishing trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Targets

- Target
  
  bb585b40a7d5f2dad95fb91e7a60881c89ecb9712882feaa330ef473f5a38cd9
- Size
  
  957KB
- MD5
  
  34f5f8d9985a9eadd72272e7abd537a7
- SHA1
  
  4d1590ea21885339979908d3add85430a2dec1aa
- SHA256
  
  bb585b40a7d5f2dad95fb91e7a60881c89ecb9712882feaa330ef473f5a38cd9
- SHA512
  
  f7ce7a7a7884e16fdbb56b536552ea5dfc835ab50e3a655007b4220c3cdbe325489b98e0a9713e050ef18ccacd614d70ec1e7d2ed0a41bb87cfdafb277a69543
- SSDEEP
  
  12288:tbcrZo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTwcRp:GrG2dAK4tf+BVHHkIoRj3cQDh
Score

10^/10

redline smokeloader grome kinza backdoor paypal infostealer persistence phishing trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesmokeloadergromekinzabackdoorpaypalinfostealerpersistencephishingtrojan

© 2018-2024

Terms | Privacy