General
-
Target
d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2
-
Size
362KB
-
Sample
220417-rj254aadc4
-
MD5
f3d8a5b25431abe4862b8e302b089732
-
SHA1
025aa58b827649604eda994ed7e61fc9d9761f21
-
SHA256
d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2
-
SHA512
f8e503ed6da1b1e11050baec075ed3da2da33887c783cd8a288b0d951b074cc0c253f64459293d114c188d2e2441ccf75b4f57a4d52336359dfa1f57507ad979
Static task
static1
Behavioral task
behavioral1
Sample
d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2.exe
Resource
win10-20220414-en
Malware Config
Extracted
smokeloader
2020
http://hydroxychl0roquine.xyz/
https://hydroxychl0roquine.xyz/
Extracted
redline
@ChelnEvreya
46.8.220.88:65531
-
auth_value
d24bb0cd8742d0e0fba1abfab06e4005
Extracted
redline
cheat
91.199.137.32:29712
Extracted
redline
install
193.150.103.38:40169
-
auth_value
7b121606198c8456e17d49ab8c2d0e42
Extracted
arkei
Default
http://92.119.160.244/Biasdmxit.php
Targets
-
-
Target
d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2
-
Size
362KB
-
MD5
f3d8a5b25431abe4862b8e302b089732
-
SHA1
025aa58b827649604eda994ed7e61fc9d9761f21
-
SHA256
d4baea4557d5696a6fa51e514e324238b32cea5cc9102b59d87c511f350d21d2
-
SHA512
f8e503ed6da1b1e11050baec075ed3da2da33887c783cd8a288b0d951b074cc0c253f64459293d114c188d2e2441ccf75b4f57a4d52336359dfa1f57507ad979
-
Modifies WinLogon for persistence
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-