General
-
Target
4efd2abd7597c86489f7bb602e4a6c755f8695917be6b18ce497f567b3a20088
-
Size
221KB
-
Sample
210906-z966qsbdf9
-
MD5
177418053a6404ed03e22a3e0152892a
-
SHA1
7fa84d334e773f78e737b1c071ab359b69566941
-
SHA256
4efd2abd7597c86489f7bb602e4a6c755f8695917be6b18ce497f567b3a20088
-
SHA512
90a4073cbda2dacdfa5f0c0236c73ec9ca0d57f0523938eeea3b9c8885f5d3ce692ea107d8947369a889936f1095f823ba2d53ebcb5b7b01c36675324a527f1f
Static task
static1
Behavioral task
behavioral1
Sample
4efd2abd7597c86489f7bb602e4a6c755f8695917be6b18ce497f567b3a20088.exe
Resource
win10-en
Malware Config
Extracted
smokeloader
2020
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Extracted
vidar
40.4
1002
https://romkaxarit.tumblr.com/
-
profile_id
1002
Extracted
redline
@Ebalosgory
77.83.175.169:11490
Extracted
njrat
62.33.159.162:5674
26c50014115b430
-
reg_key
26c50014115b430
-
splitter
@!#&^%$
Targets
-
-
Target
4efd2abd7597c86489f7bb602e4a6c755f8695917be6b18ce497f567b3a20088
-
Size
221KB
-
MD5
177418053a6404ed03e22a3e0152892a
-
SHA1
7fa84d334e773f78e737b1c071ab359b69566941
-
SHA256
4efd2abd7597c86489f7bb602e4a6c755f8695917be6b18ce497f567b3a20088
-
SHA512
90a4073cbda2dacdfa5f0c0236c73ec9ca0d57f0523938eeea3b9c8885f5d3ce692ea107d8947369a889936f1095f823ba2d53ebcb5b7b01c36675324a527f1f
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-