General
-
Target
1.exezeakapqe
-
Size
360KB
-
Sample
220419-eqhzksbagk
-
MD5
b441579edee209535eca6408d91a9be1
-
SHA1
460c5cb8d760dfc21d01184a3bf2de63a4d0d802
-
SHA256
3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3
-
SHA512
32214c73cf475f342edfbe3aab68ad09afe4db8885d4a9d56e4e8a7ab2492225916c6a890e322e58d5a7314537d2f919bf08492e23a98c7368fc1f41cf17f1a7
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
smokeloader
2020
http://hydroxychl0roquine.xyz/
https://hydroxychl0roquine.xyz/
Extracted
redline
@ChelnEvreya
46.8.220.88:65531
-
auth_value
d24bb0cd8742d0e0fba1abfab06e4005
Extracted
redline
install
193.150.103.38:40169
-
auth_value
7b121606198c8456e17d49ab8c2d0e42
Extracted
arkei
Default
http://92.119.160.244/Biasdmxit.php
Extracted
redline
test run
2.58.56.219:39064
-
auth_value
8d3e3da14c8032e314235e1d040823c7
Targets
-
-
Target
1.exezeakapqe
-
Size
360KB
-
MD5
b441579edee209535eca6408d91a9be1
-
SHA1
460c5cb8d760dfc21d01184a3bf2de63a4d0d802
-
SHA256
3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3
-
SHA512
32214c73cf475f342edfbe3aab68ad09afe4db8885d4a9d56e4e8a7ab2492225916c6a890e322e58d5a7314537d2f919bf08492e23a98c7368fc1f41cf17f1a7
-
Modifies WinLogon for persistence
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-