General
-
Target
f6ede8409878ceb95b88f9cc7064b816568a0be6a933676709152de794173e1a
-
Size
140KB
-
Sample
210926-s83zcsfba6
-
MD5
831ba3bb4dfd40bf0408d07a186eb216
-
SHA1
adf6f3514edc63b5ce5b91d3bc781a13bb176247
-
SHA256
f6ede8409878ceb95b88f9cc7064b816568a0be6a933676709152de794173e1a
-
SHA512
e1c4f66d3aa75dce06993a49bc511cfaae178651b96860114f49df36ff48a5e4f8c7eb8b26a4675b0d53597a103034a7c06f1be7a4d60fdf9638af15c3546da7
Malware Config
Extracted
smokeloader
2020
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Extracted
redline
karma
94.103.9.133:39323
Extracted
redline
Bliss
185.237.98.178:62607
Targets
-
-
Target
f6ede8409878ceb95b88f9cc7064b816568a0be6a933676709152de794173e1a
-
Size
140KB
-
MD5
831ba3bb4dfd40bf0408d07a186eb216
-
SHA1
adf6f3514edc63b5ce5b91d3bc781a13bb176247
-
SHA256
f6ede8409878ceb95b88f9cc7064b816568a0be6a933676709152de794173e1a
-
SHA512
e1c4f66d3aa75dce06993a49bc511cfaae178651b96860114f49df36ff48a5e4f8c7eb8b26a4675b0d53597a103034a7c06f1be7a4d60fdf9638af15c3546da7
Score10/10-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Chinese Botnet Payload
-
Executes dropped EXE
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-