General
-
Target
3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3
-
Size
360KB
-
Sample
220418-cpqlxsfack
-
MD5
b441579edee209535eca6408d91a9be1
-
SHA1
460c5cb8d760dfc21d01184a3bf2de63a4d0d802
-
SHA256
3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3
-
SHA512
32214c73cf475f342edfbe3aab68ad09afe4db8885d4a9d56e4e8a7ab2492225916c6a890e322e58d5a7314537d2f919bf08492e23a98c7368fc1f41cf17f1a7
Static task
static1
Behavioral task
behavioral1
Sample
3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3.exe
Resource
win10-20220414-en
Malware Config
Extracted
smokeloader
2020
http://hydroxychl0roquine.xyz/
https://hydroxychl0roquine.xyz/
Extracted
redline
@ChelnEvreya
46.8.220.88:65531
-
auth_value
d24bb0cd8742d0e0fba1abfab06e4005
Extracted
redline
install
193.150.103.38:40169
-
auth_value
7b121606198c8456e17d49ab8c2d0e42
Extracted
redline
1_15_04
45.10.247.117:36590
-
auth_value
6a5baa6f754657611c7410300a615e51
Extracted
arkei
Default
http://92.119.160.244/Biasdmxit.php
Extracted
redline
test run
2.58.56.219:39064
-
auth_value
8d3e3da14c8032e314235e1d040823c7
Targets
-
-
Target
3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3
-
Size
360KB
-
MD5
b441579edee209535eca6408d91a9be1
-
SHA1
460c5cb8d760dfc21d01184a3bf2de63a4d0d802
-
SHA256
3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3
-
SHA512
32214c73cf475f342edfbe3aab68ad09afe4db8885d4a9d56e4e8a7ab2492225916c6a890e322e58d5a7314537d2f919bf08492e23a98c7368fc1f41cf17f1a7
-
Modifies WinLogon for persistence
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-