General
-
Target
d8184527ce6cb218c4171b92d6fd51b1cd83e1e53d1546978ec95076813f5af6
-
Size
318KB
-
Sample
211207-bthw7sffbn
-
MD5
5bc881f2aa788e8f22fecf2b50c071f6
-
SHA1
19fc7edd95fc2c013c1116dbe605df89c5d56e3d
-
SHA256
d8184527ce6cb218c4171b92d6fd51b1cd83e1e53d1546978ec95076813f5af6
-
SHA512
1ae5644f389e41ef1263e034a5c04f5e4cd726f5972b908605a2e89ea59b82bc84e30a507daccd12eff69be29ce2c28859866ee0e16afa49cd21466cd34aee52
Static task
static1
Behavioral task
behavioral1
Sample
d8184527ce6cb218c4171b92d6fd51b1cd83e1e53d1546978ec95076813f5af6.exe
Resource
win10-en-20211104
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
f797145799b7b1b77b35d81de942eee0908da519
-
url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar
Extracted
amadey
2.86
185.215.113.35/d2VxjasuwS/index.php
Targets
-
-
Target
d8184527ce6cb218c4171b92d6fd51b1cd83e1e53d1546978ec95076813f5af6
-
Size
318KB
-
MD5
5bc881f2aa788e8f22fecf2b50c071f6
-
SHA1
19fc7edd95fc2c013c1116dbe605df89c5d56e3d
-
SHA256
d8184527ce6cb218c4171b92d6fd51b1cd83e1e53d1546978ec95076813f5af6
-
SHA512
1ae5644f389e41ef1263e034a5c04f5e4cd726f5972b908605a2e89ea59b82bc84e30a507daccd12eff69be29ce2c28859866ee0e16afa49cd21466cd34aee52
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-