General
-
Target
ae1e179bde5dd7bc86c7bf00155234e3.exe
-
Size
224KB
-
Sample
210906-g8x8bsdffn
-
MD5
ae1e179bde5dd7bc86c7bf00155234e3
-
SHA1
3d150b9176b71abafc44a5e5cf7aed1ed9cad827
-
SHA256
303de99f3a658f14a927ae269d1f5858f67a72cb6aa4e162c3f2a9dd2f0e20da
-
SHA512
90fe13b0ace20b0b562471adc3d7673e300d8a5a560c3f64a50cc4c4ed3353e0bbfd5d461fb8fd8663665f32ef085a062ace892901ed4654cc9025b9c43e0c2d
Static task
static1
Behavioral task
behavioral1
Sample
ae1e179bde5dd7bc86c7bf00155234e3.exe
Resource
win7-en
Malware Config
Extracted
smokeloader
2020
http://fioajfoiarjfoi1.xyz/
http://rdukhnihioh2.xyz/
http://sdfghjklemm3.xyz/
http://eruiopijhgnn4.xyz/
http://igbyugfwbwb5.xyz/
http://shfuhfuwhhc6.xyz/
http://ersyglhjkuij7.xyz/
http://ygyguguuju8.store/
http://resbkjpokfct9.store/
http://sdfygfygu10.store/
http://hbibhibihnj11.store/
http://vfwlkjhbghg12.store/
http://poiuytrcvb13.store/
http://xsedfgtbh14.store/
http://iknhyghggh15.store/
http://wnlonevkiju16.site/
http://gfyufuhhihioh17.site/
http://nsgiuwrevi18.site/
http://oiureveiuv19.site/
http://ovrnevnriuen20.site/
http://apowkfeeifin21.site/
http://mewmofinoine22.site/
http://iefhuiehruiu23.site/
http://vjrnnvinerovn24.club/
http://roimvnnvwniov25.club/
http://fwenmfioewnjo26.club/
http://ewoijioewoif27.club/
http://fwjenfuihew28.club/
http://fwkejnfuiewn29.club/
http://fwkjenfuewnh30.club/
Extracted
redline
newnew
185.167.97.37:30904
Extracted
vidar
40.4
936
https://romkaxarit.tumblr.com/
-
profile_id
936
Extracted
raccoon
fe582536ec580228180f270f7cb80a867860e010
-
url4cnc
https://telete.in/xylichanjk
Extracted
redline
200
45.14.49.28:56898
Extracted
vidar
40.4
973
https://romkaxarit.tumblr.com/
-
profile_id
973
Extracted
vidar
40.4
948
https://romkaxarit.tumblr.com/
-
profile_id
948
Extracted
vidar
40.4
937
https://romkaxarit.tumblr.com/
-
profile_id
937
Targets
-
-
Target
ae1e179bde5dd7bc86c7bf00155234e3.exe
-
Size
224KB
-
MD5
ae1e179bde5dd7bc86c7bf00155234e3
-
SHA1
3d150b9176b71abafc44a5e5cf7aed1ed9cad827
-
SHA256
303de99f3a658f14a927ae269d1f5858f67a72cb6aa4e162c3f2a9dd2f0e20da
-
SHA512
90fe13b0ace20b0b562471adc3d7673e300d8a5a560c3f64a50cc4c4ed3353e0bbfd5d461fb8fd8663665f32ef085a062ace892901ed4654cc9025b9c43e0c2d
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
XMRig Miner Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1