General
-
Target
6E52D162BAF265E070EC1A3147AD651D8BD8481D96B33.exe
-
Size
3MB
-
Sample
220112-apgynsacb4
-
MD5
defafd07d253ff3e67f6bb04d59b125c
-
SHA1
9ac9b2bea4507031b79db57c5fe3856bf1900d69
-
SHA256
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
-
SHA512
f654fe4ae503ca459ca9c261a6f76b08ca14a5e807785ebc5f13f3a7d8290e45cc3d1c987c7edc091acff9624d0e2caf8d4dac9f8d26d7ab0699aacba47db4b8
Static task
static1
Behavioral task
behavioral1
Sample
6E52D162BAF265E070EC1A3147AD651D8BD8481D96B33.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6E52D162BAF265E070EC1A3147AD651D8BD8481D96B33.exe
Resource
win10-en-20211208
Malware Config
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Extracted
redline
fucker2
135.181.129.119:4805
Extracted
redline
media18
91.121.67.60:2151
Targets
-
-
Target
6E52D162BAF265E070EC1A3147AD651D8BD8481D96B33.exe
-
Size
3MB
-
MD5
defafd07d253ff3e67f6bb04d59b125c
-
SHA1
9ac9b2bea4507031b79db57c5fe3856bf1900d69
-
SHA256
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
-
SHA512
f654fe4ae503ca459ca9c261a6f76b08ca14a5e807785ebc5f13f3a7d8290e45cc3d1c987c7edc091acff9624d0e2caf8d4dac9f8d26d7ab0699aacba47db4b8
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Data from Local System
1Command and Control
Credential Access
Credentials in Files
1Discovery
Query Registry
3System Information Discovery
4Peripheral Device Discovery
1Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Modify Existing Service
1Privilege Escalation