General
-
Target
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e.exe
-
Size
9KB
-
Sample
210322-ebnlm3ltze
-
MD5
2151c4b970eff0071948dbbc19066aa4
-
SHA1
6044352fbee4746c6dd4d53950fb8070cd3ae309
-
SHA256
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e144e000dd97c1abbc78
-
SHA512
e09f6beae51995324edfd09f830df63666e44809c5f02dba5ae0c82cebdbc49029832cdd4443785d0aaffc094fb3f52613258292459406e68cc8a2df2f007a85
Static task
static1
Behavioral task
behavioral1
Sample
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e.exe
Resource
win10v20201028
Malware Config
Extracted
raccoon
c46f13f8aadc028907d65c627fd9163161661f6c
-
url4cnc
https://telete.in/capibar
Extracted
raccoon
2ce901d964b370c5ccda7e4d68354ba040db8218
-
url4cnc
https://telete.in/tomarsjsmith3
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Extracted
raccoon
afefd33a49c7cbd55d417545269920f24c85aa37
-
url4cnc
https://telete.in/jagressor_kz
Targets
-
-
Target
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e.exe
-
Size
9KB
-
MD5
2151c4b970eff0071948dbbc19066aa4
-
SHA1
6044352fbee4746c6dd4d53950fb8070cd3ae309
-
SHA256
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e144e000dd97c1abbc78
-
SHA512
e09f6beae51995324edfd09f830df63666e44809c5f02dba5ae0c82cebdbc49029832cdd4443785d0aaffc094fb3f52613258292459406e68cc8a2df2f007a85
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE
-
Sets service image path in registry
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-