General
-
Target
641073a7b38fa3b3e938af4810596eaf53a89e565919d.exe
-
Size
813KB
-
Sample
210430-9lambkjr5a
-
MD5
c4bb2285a9f20e982707e4c9ee4f7e35
-
SHA1
0021818c5bbc147738f323a98e42131411471db8
-
SHA256
641073a7b38fa3b3e938af4810596eaf53a89e565919dc505bf055f091d0b509
-
SHA512
a1c4a206dc99e1ef40cbec21fd1acf43323e13be94483367156c8abeda7fa0ee0f9269c27271015c4bd9b465e99122cf6611d96a08891b0b9ff0dca1f212c9d7
Static task
static1
Behavioral task
behavioral1
Sample
641073a7b38fa3b3e938af4810596eaf53a89e565919d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
641073a7b38fa3b3e938af4810596eaf53a89e565919d.exe
Resource
win10v20210410
Malware Config
Extracted
smokeloader
2020
http://greenco2020.top/
http://greenco2021.top/
http://greenco2022.top/
Targets
-
-
Target
641073a7b38fa3b3e938af4810596eaf53a89e565919d.exe
-
Size
813KB
-
MD5
c4bb2285a9f20e982707e4c9ee4f7e35
-
SHA1
0021818c5bbc147738f323a98e42131411471db8
-
SHA256
641073a7b38fa3b3e938af4810596eaf53a89e565919dc505bf055f091d0b509
-
SHA512
a1c4a206dc99e1ef40cbec21fd1acf43323e13be94483367156c8abeda7fa0ee0f9269c27271015c4bd9b465e99122cf6611d96a08891b0b9ff0dca1f212c9d7
-
Modifies WinLogon for persistence
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Async RAT payload
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-