General
-
Target
29669b199ce94a9ee97f8955480b8e8f5b0ed8b38824f4316f094668a71e0b2c
-
Size
335KB
-
Sample
211024-pt42bsfafn
-
MD5
a77a8e986138bacc3eeb643cddc9062a
-
SHA1
da0c4503c6a44796713aac1cb1df104dd9b4e33f
-
SHA256
29669b199ce94a9ee97f8955480b8e8f5b0ed8b38824f4316f094668a71e0b2c
-
SHA512
02ec61fe2dde565490de182aa5a9ccfa808a1a2f02792c1d4ed8d0d73b318d69d10cf94c4622851128a9cc46cb397a7eec927cc6328ea24082144481f12e43c3
Static task
static1
Behavioral task
behavioral1
Sample
29669b199ce94a9ee97f8955480b8e8f5b0ed8b38824f4316f094668a71e0b2c.exe
Resource
win10-en-20210920
Malware Config
Extracted
smokeloader
2020
http://xacokuo8.top/
http://hajezey1.top/
Extracted
raccoon
7ebf9b416b72a203df65383eec899dc689d2c3d7
-
url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
Extracted
raccoon
a4b1cb9c5c4d693cc9860fbe648999419f9d3d4f
-
url4cnc
http://telegin.top/kaba4ello
http://ttmirror.top/kaba4ello
http://teletele.top/kaba4ello
http://telegalive.top/kaba4ello
http://toptelete.top/kaba4ello
http://telegraf.top/kaba4ello
https://t.me/kaba4ello
Targets
-
-
Target
29669b199ce94a9ee97f8955480b8e8f5b0ed8b38824f4316f094668a71e0b2c
-
Size
335KB
-
MD5
a77a8e986138bacc3eeb643cddc9062a
-
SHA1
da0c4503c6a44796713aac1cb1df104dd9b4e33f
-
SHA256
29669b199ce94a9ee97f8955480b8e8f5b0ed8b38824f4316f094668a71e0b2c
-
SHA512
02ec61fe2dde565490de182aa5a9ccfa808a1a2f02792c1d4ed8d0d73b318d69d10cf94c4622851128a9cc46cb397a7eec927cc6328ea24082144481f12e43c3
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-