redline | 7982e05dc454253fe66ed687e24f0ae2d3d1b83d9695ca196692d0391da24fc9 | Triage

Submit
Reports

Overview

overview

Static

static

3

c2bb29d1de...69.exe

windows7-x64

c2bb29d1de...69.exe

windows10-2004-x64

Sharing

General

Target

c2bb29d1deb9922b924285443da650bb38f5cbdc67905294369cda2795d38b69
Size

321KB
Sample

231101-1zse9sfd75
MD5

3a86eb9ce4aac25353b7eb7b238c3131
SHA1

2afa736d35e1251e3fd3b685942873f74d6d5f16
SHA256

7982e05dc454253fe66ed687e24f0ae2d3d1b83d9695ca196692d0391da24fc9
SHA512

dd41499ea8b2d05a68691650d6bee3b7e11cfaa9cad7c50086444f2c185704cab47f46d4dcdfce0306fc640d92dfee400d3b8a4e700acfb8269367699ea69c9a
SSDEEP

6144:aCoMtc+8W3f2BS1nNfpDAb2K0bOetfr9kxZeYq1q8MC2/0i6SLVTIw6qqmyl3o9V:ahMy+8W3e01nNfpDG2K0bOetTafq1q8u

Score

10^/10

redline smokeloader grome kinza backdoor paypal infostealer persistence phishing trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

c2bb29d1deb9922b924285443da650bb38f5cbdc67905294369cda2795d38b69.exe

Resource

win7-20231020-en

redline smokeloader grome backdoor infostealer persistence trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

c2bb29d1deb9922b924285443da650bb38f5cbdc67905294369cda2795d38b69.exe

Resource

win10v2004-20231023-en

redline smokeloader grome kinza backdoor paypal infostealer persistence phishing trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Targets

- Target
  
  c2bb29d1deb9922b924285443da650bb38f5cbdc67905294369cda2795d38b69
- Size
  
  891KB
- MD5
  
  ee928e4d4d5e0af6d5cba4937ca9d782
- SHA1
  
  d90c19524fafc80e79d2ab46002b2b11fd3f2324
- SHA256
  
  c2bb29d1deb9922b924285443da650bb38f5cbdc67905294369cda2795d38b69
- SHA512
  
  e92bff0e3d1308e404c92f7a5700cb3979eaecd20c0162be23b7184464ec1c060b7bb081fa049f530b180639127e0444ffbc52bd9a6c5275b4f2e430ad91cb90
- SSDEEP
  
  12288:NqAPd5o7rmNwdUUEE+qgnulOdnuODG9KDFkXbzyu2yYyr:pbSmNwdUUEE+B1dbS9KDF
Score

10^/10

redline smokeloader grome backdoor infostealer persistence trojan kinza paypal phishing
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesmokeloadergromebackdoorinfostealerpersistencetrojan

behavioral2

redlinesmokeloadergromekinzabackdoorpaypalinfostealerpersistencephishingtrojan

© 2018-2024

Terms | Privacy