General
-
Target
b63d3b8b62e291a6490497cbbc2b788f216fe7a2fcf5f37bf2eb856bc5689700
-
Size
300KB
-
Sample
211214-g9xm7afcb3
-
MD5
14a6af9c5a8fb3d20e1ccde46623bd15
-
SHA1
0bfda1f4f5c08a2dce85980eeb88ff775b72c611
-
SHA256
b63d3b8b62e291a6490497cbbc2b788f216fe7a2fcf5f37bf2eb856bc5689700
-
SHA512
5ad10b3a40608d26e668d1f35cb8320891b681e67743a34a324bdb23e2590af120835a2afd167cd7551c12df0fdb587a529c9a9744c851072c097836f31b4e4c
Static task
static1
Behavioral task
behavioral1
Sample
b63d3b8b62e291a6490497cbbc2b788f216fe7a2fcf5f37bf2eb856bc5689700.exe
Resource
win10-en-20211208
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
raccoon
9ea5fe19c17f2e278d5c0d9536978c9866e2383e
-
url4cnc
http://194.180.174.53/hoverpattern31
http://91.219.236.18/hoverpattern31
http://194.180.174.41/hoverpattern31
http://91.219.236.148/hoverpattern31
https://t.me/hoverpattern31
Extracted
redline
185.112.83.69:37026
Extracted
redline
xxluchxx1
212.86.102.63:62907
Targets
-
-
Target
b63d3b8b62e291a6490497cbbc2b788f216fe7a2fcf5f37bf2eb856bc5689700
-
Size
300KB
-
MD5
14a6af9c5a8fb3d20e1ccde46623bd15
-
SHA1
0bfda1f4f5c08a2dce85980eeb88ff775b72c611
-
SHA256
b63d3b8b62e291a6490497cbbc2b788f216fe7a2fcf5f37bf2eb856bc5689700
-
SHA512
5ad10b3a40608d26e668d1f35cb8320891b681e67743a34a324bdb23e2590af120835a2afd167cd7551c12df0fdb587a529c9a9744c851072c097836f31b4e4c
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Arkei Stealer Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-