General
-
Target
3feb7deca4f523c34c7be06105d58ac0936e7c8b668886ea058a6fa2b4fc9905
-
Size
221KB
-
Sample
210906-xjdqdsbdb6
-
MD5
54e2fce74b3f39e6f7050d0b3b9b0636
-
SHA1
c3c050cd2a43344b1d86a9ba0951d744aa5f460d
-
SHA256
3feb7deca4f523c34c7be06105d58ac0936e7c8b668886ea058a6fa2b4fc9905
-
SHA512
ce7276159630b7aca066786e754669c05b8fb04a094acb2d7ad78996c57f6f1551f5376d327fd709915ba60e248a09df5a2e10382c13dcaba08aa815bc128cdc
Static task
static1
Behavioral task
behavioral1
Sample
3feb7deca4f523c34c7be06105d58ac0936e7c8b668886ea058a6fa2b4fc9905.exe
Resource
win10-en
Malware Config
Extracted
smokeloader
2020
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Extracted
redline
newnew
185.167.97.37:30904
Extracted
vidar
40.4
936
https://romkaxarit.tumblr.com/
-
profile_id
936
Extracted
raccoon
fe582536ec580228180f270f7cb80a867860e010
-
url4cnc
https://telete.in/xylichanjk
Extracted
vidar
40.4
1002
https://romkaxarit.tumblr.com/
-
profile_id
1002
Extracted
redline
@Ebalosgory
77.83.175.169:11490
Targets
-
-
Target
3feb7deca4f523c34c7be06105d58ac0936e7c8b668886ea058a6fa2b4fc9905
-
Size
221KB
-
MD5
54e2fce74b3f39e6f7050d0b3b9b0636
-
SHA1
c3c050cd2a43344b1d86a9ba0951d744aa5f460d
-
SHA256
3feb7deca4f523c34c7be06105d58ac0936e7c8b668886ea058a6fa2b4fc9905
-
SHA512
ce7276159630b7aca066786e754669c05b8fb04a094acb2d7ad78996c57f6f1551f5376d327fd709915ba60e248a09df5a2e10382c13dcaba08aa815bc128cdc
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
XMRig Miner Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-