General
-
Target
win_setup__621708b8b769c.exe
-
Size
6.0MB
-
Sample
220224-e9nzyadcan
-
MD5
be2caaf0356171d4f6c109f720edb75f
-
SHA1
327d9610f733c5e9d76eeb55739cea70523e84c6
-
SHA256
054f4390cf430a215bbac1f9eb82969666157f3dcd60a526cb8876dcca88fdcb
-
SHA512
202bc1e205ee6f0e3f913fd8e86feac42f6ec8d3daa10004886659f18e13d68b9cdf61fea43dc4b12a142b6ac2fbf9009333d8801f3ba3d4f7436607ad3c4845
Static task
static1
Behavioral task
behavioral1
Sample
win_setup__621708b8b769c.exe
Resource
win7-20220223-en
Malware Config
Extracted
smokeloader
2020
http://pjure.at/upload/
http://puffersweiven.com/upload/
http://algrcabel.ru/upload/
http://pelangiqq99.com/upload/
http://elsaunny.com/upload/
http://korphoto.com/upload/
http://hangxachtaythodoan.com/upload/
http://pkodev.net/upload/
http://go-piratia.ru/upload/
http://piratia.su/upload/
Extracted
redline
mediam10
92.255.57.154:11841
-
auth_value
c244f3014e6aa11d9b853b0c94e0743e
Targets
-
-
Target
win_setup__621708b8b769c.exe
-
Size
6.0MB
-
MD5
be2caaf0356171d4f6c109f720edb75f
-
SHA1
327d9610f733c5e9d76eeb55739cea70523e84c6
-
SHA256
054f4390cf430a215bbac1f9eb82969666157f3dcd60a526cb8876dcca88fdcb
-
SHA512
202bc1e205ee6f0e3f913fd8e86feac42f6ec8d3daa10004886659f18e13d68b9cdf61fea43dc4b12a142b6ac2fbf9009333d8801f3ba3d4f7436607ad3c4845
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-