General
-
Target
d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38
-
Size
234KB
-
Sample
211202-vfj2wsafbk
-
MD5
8a9b7acd470f23cfbd45530fd1508683
-
SHA1
b7fc2e2d2567267b2f019d1ac034b06935158c6b
-
SHA256
d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38
-
SHA512
8e6a26c2aac183ca32d23c0cc45ea7a7c8446b2569bd9470bba1cd6c30aedfd1dc4eea8c8ea2d0895d0f7b14adada19dffdf8d3b212de93ba34566c9c0402048
Static task
static1
Behavioral task
behavioral1
Sample
d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe
Resource
win10-en-20211104
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
https://cinems.club/search.php
https://clothes.surf/search.php
Extracted
redline
1
45.9.20.59:46287
Targets
-
-
Target
d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38
-
Size
234KB
-
MD5
8a9b7acd470f23cfbd45530fd1508683
-
SHA1
b7fc2e2d2567267b2f019d1ac034b06935158c6b
-
SHA256
d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38
-
SHA512
8e6a26c2aac183ca32d23c0cc45ea7a7c8446b2569bd9470bba1cd6c30aedfd1dc4eea8c8ea2d0895d0f7b14adada19dffdf8d3b212de93ba34566c9c0402048
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
-
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies RDP port number used by Windows
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-