General
-
Target
e6d4476b5b17e367aee91bee70f486a6ad0624f09ea99c24638919f041d3b335
-
Size
150KB
-
Sample
211122-x661fsgfgl
-
MD5
5142d9fdf2c60e5c03f2d5def4ac97c3
-
SHA1
067fefe06a747ee88aa1910e70b0531722a0f2d0
-
SHA256
e6d4476b5b17e367aee91bee70f486a6ad0624f09ea99c24638919f041d3b335
-
SHA512
7d02d0978e87e6973edfdd11737abd76c097ca36aa1c5aacb3a88aa779ebd1bef5b01c294d4299e6fde5130096c726dfc1c64be47b5ab30e20f8c797df855e09
Static task
static1
Malware Config
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
tofsee
quadoil.ru
lakeflex.ru
Extracted
redline
185.159.80.90:38637
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Extracted
redline
@123
141.95.82.50:63652
Targets
-
-
Target
e6d4476b5b17e367aee91bee70f486a6ad0624f09ea99c24638919f041d3b335
-
Size
150KB
-
MD5
5142d9fdf2c60e5c03f2d5def4ac97c3
-
SHA1
067fefe06a747ee88aa1910e70b0531722a0f2d0
-
SHA256
e6d4476b5b17e367aee91bee70f486a6ad0624f09ea99c24638919f041d3b335
-
SHA512
7d02d0978e87e6973edfdd11737abd76c097ca36aa1c5aacb3a88aa779ebd1bef5b01c294d4299e6fde5130096c726dfc1c64be47b5ab30e20f8c797df855e09
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
XMRig Miner Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-