General

  • Target

    487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb

  • Size

    528KB

  • Sample

    220415-rft1bacggn

  • MD5

    0a812a69a1080234c0a1c9f92512be4d

  • SHA1

    2865d6f4bf0dcfbc971f4d96bd1048534e0e18c5

  • SHA256

    487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb

  • SHA512

    a021786d2e2a5b983fbbed5e54013ccc3ac7926a6f9a12ff06d20e72e779698e5f17eeb73fbef77b3bcca3a1530be6ff6284e0b1a68fe4d939ddaed3cf1790a2

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://hydroxychl0roquine.xyz/

https://hydroxychl0roquine.xyz/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@ChelnEvreya

C2

46.8.220.88:65531

Attributes
  • auth_value

    d24bb0cd8742d0e0fba1abfab06e4005

Targets

    • Target

      487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb

    • Size

      528KB

    • MD5

      0a812a69a1080234c0a1c9f92512be4d

    • SHA1

      2865d6f4bf0dcfbc971f4d96bd1048534e0e18c5

    • SHA256

      487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb

    • SHA512

      a021786d2e2a5b983fbbed5e54013ccc3ac7926a6f9a12ff06d20e72e779698e5f17eeb73fbef77b3bcca3a1530be6ff6284e0b1a68fe4d939ddaed3cf1790a2

    • Meta Stealer Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • Modifies WinLogon for persistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Deletes itself

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks