General
-
Target
5c4bc159f2c488513a0d8b710a20a4e247822c4e6cc7a26a24bbc42ab3b8f729
-
Size
3.3MB
-
Sample
220310-scte2sgbb2
-
MD5
e07955ea72ceffd3ec3d4eb271d033db
-
SHA1
e1ff97670cc76fbd73b26d4aaa12ad8b89b3b09b
-
SHA256
5c4bc159f2c488513a0d8b710a20a4e247822c4e6cc7a26a24bbc42ab3b8f729
-
SHA512
a2632d6059984650a92ffefff0e0a85b66d0c81210e5ff33fb0cf52c5f5842219762ce6204842529370082db0f4e570f6c93f49bc178e83ec75786e175c04647
Static task
static1
Behavioral task
behavioral1
Sample
5c4bc159f2c488513a0d8b710a20a4e247822c4e6cc7a26a24bbc42ab3b8f729.exe
Resource
win7-en-20211208
Malware Config
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Extracted
redline
NCanal01
pupdatastart.tech:80
pupdatastart.xyz:80
pupdatastar.store:80
Extracted
redline
Ani
yaklalau.xyz:80
Extracted
vidar
39.3
706
https://bandakere.tumblr.com/
-
profile_id
706
Targets
-
-
Target
5c4bc159f2c488513a0d8b710a20a4e247822c4e6cc7a26a24bbc42ab3b8f729
-
Size
3.3MB
-
MD5
e07955ea72ceffd3ec3d4eb271d033db
-
SHA1
e1ff97670cc76fbd73b26d4aaa12ad8b89b3b09b
-
SHA256
5c4bc159f2c488513a0d8b710a20a4e247822c4e6cc7a26a24bbc42ab3b8f729
-
SHA512
a2632d6059984650a92ffefff0e0a85b66d0c81210e5ff33fb0cf52c5f5842219762ce6204842529370082db0f4e570f6c93f49bc178e83ec75786e175c04647
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar Stealer
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-