redline | a2dd865e34a468b4967dbf31339629e1990e29fd0b2427d87f33001797d7a5fb | Triage

Submit
Reports

Overview

overview

Static

static

3

dridex

windows10-2004-x64

Sharing

General

Target

a2dd865e34a468b4967dbf31339629e1990e29fd0b2427d87f33001797d7a5fb
Size

957KB
Sample

231101-3tq2csed51
MD5

97e82ff2bb4f600d8b4c4dba2a3fa3c0
SHA1

8e5e57d3c85d0a05b6ac252f11859994c4222002
SHA256

a2dd865e34a468b4967dbf31339629e1990e29fd0b2427d87f33001797d7a5fb
SHA512

aaad011224eca4e34c4b2b1b6505c60c26dbd3cc441541135beeaa77e899acfae03ee491c4e183c637b21df48ea0abaa935955dc492c23c5e5a4f476545322ad
SSDEEP

12288:kbc03o2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdT14:x042dAK4tf+BVHHkIoRj3cQD

Score

10^/10

redline smokeloader grome kinza backdoor paypal infostealer persistence phishing trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a2dd865e34a468b4967dbf31339629e1990e29fd0b2427d87f33001797d7a5fb.exe

Resource

win10v2004-20231023-en

redline smokeloader grome kinza backdoor paypal infostealer persistence phishing trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Targets

- Target
  
  a2dd865e34a468b4967dbf31339629e1990e29fd0b2427d87f33001797d7a5fb
- Size
  
  957KB
- MD5
  
  97e82ff2bb4f600d8b4c4dba2a3fa3c0
- SHA1
  
  8e5e57d3c85d0a05b6ac252f11859994c4222002
- SHA256
  
  a2dd865e34a468b4967dbf31339629e1990e29fd0b2427d87f33001797d7a5fb
- SHA512
  
  aaad011224eca4e34c4b2b1b6505c60c26dbd3cc441541135beeaa77e899acfae03ee491c4e183c637b21df48ea0abaa935955dc492c23c5e5a4f476545322ad
- SSDEEP
  
  12288:kbc03o2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdT14:x042dAK4tf+BVHHkIoRj3cQD
Score

10^/10

redline smokeloader grome kinza backdoor paypal infostealer persistence phishing trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesmokeloadergromekinzabackdoorpaypalinfostealerpersistencephishingtrojan

© 2018-2024

Terms | Privacy