redline | 25af15773a8bb1e526700551d0cb89976b3d103e1164f7b2a17e8ae9e553c188 | Triage

Submit
Reports

Overview

overview

Static

static

3

dridex

windows10-1703-x64

Sharing

General

Target

25af15773a8bb1e526700551d0cb89976b3d103e1164f7b2a17e8ae9e553c188
Size

957KB
Sample

231101-z1pkbsdb9t
MD5

8697bf0a75b558372d40f4ec62c1fd34
SHA1

8558f1b9035fb6710a75bf379f2a0accb6d79f05
SHA256

25af15773a8bb1e526700551d0cb89976b3d103e1164f7b2a17e8ae9e553c188
SHA512

9552881cb83b62fa5a19b5aa824da7da251205cc9e1e3bde074ce4aabc028db92e9f974dfbecb72a5817c2eb547f2e21dbd2dba60248caaeb3d000e3cb57434c
SSDEEP

12288:6bcfxo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTTk:Hfu2dAK4tf+BVHHkIoRj3cQD

Score

10^/10

redline smokeloader grome backdoor google paypal infostealer persistence phishing trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

25af15773a8bb1e526700551d0cb89976b3d103e1164f7b2a17e8ae9e553c188.exe

Resource

win10-20231020-en

redline smokeloader grome backdoor google paypal infostealer persistence phishing trojan

windows10-1703-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Targets

- Target
  
  25af15773a8bb1e526700551d0cb89976b3d103e1164f7b2a17e8ae9e553c188
- Size
  
  957KB
- MD5
  
  8697bf0a75b558372d40f4ec62c1fd34
- SHA1
  
  8558f1b9035fb6710a75bf379f2a0accb6d79f05
- SHA256
  
  25af15773a8bb1e526700551d0cb89976b3d103e1164f7b2a17e8ae9e553c188
- SHA512
  
  9552881cb83b62fa5a19b5aa824da7da251205cc9e1e3bde074ce4aabc028db92e9f974dfbecb72a5817c2eb547f2e21dbd2dba60248caaeb3d000e3cb57434c
- SSDEEP
  
  12288:6bcfxo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTTk:Hfu2dAK4tf+BVHHkIoRj3cQD
Score

10^/10

redline smokeloader grome backdoor google paypal infostealer persistence phishing trojan
- Detected google phishing page
  phishing google
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

redlinesmokeloadergromebackdoorgooglepaypalinfostealerpersistencephishingtrojan

© 2018-2024

Terms | Privacy