General
-
Target
076152df033e967ce8aee3d3cbc9b1aafdc07b0cb601e9afa31e7b08d9e5894a
-
Size
2.6MB
-
Sample
220419-mkj9fscgck
-
MD5
fb7c117a520c51ef9709f9466ee99768
-
SHA1
a112d347cf8d36bc8a748654099a4c1c438ca074
-
SHA256
076152df033e967ce8aee3d3cbc9b1aafdc07b0cb601e9afa31e7b08d9e5894a
-
SHA512
16898c7d3c657f28d8c25a7fbcb25132b003119c9d933aa04e332c320a890a8c1a72ac1d5c6948df2e4b940c1f805b1d818aea24be527e473d6e69345e06fc6a
Static task
static1
Behavioral task
behavioral1
Sample
076152df033e967ce8aee3d3cbc9b1aafdc07b0cb601e9afa31e7b08d9e5894a.exe
Resource
win10-20220414-en
Malware Config
Extracted
smokeloader
2020
http://hydroxychl0roquine.xyz/
https://hydroxychl0roquine.xyz/
Extracted
redline
@ChelnEvreya
46.8.220.88:65531
-
auth_value
d24bb0cd8742d0e0fba1abfab06e4005
Extracted
arkei
Default
http://92.119.160.244/Biasdmxit.php
Extracted
redline
test run
2.58.56.219:39064
-
auth_value
8d3e3da14c8032e314235e1d040823c7
Targets
-
-
Target
076152df033e967ce8aee3d3cbc9b1aafdc07b0cb601e9afa31e7b08d9e5894a
-
Size
2.6MB
-
MD5
fb7c117a520c51ef9709f9466ee99768
-
SHA1
a112d347cf8d36bc8a748654099a4c1c438ca074
-
SHA256
076152df033e967ce8aee3d3cbc9b1aafdc07b0cb601e9afa31e7b08d9e5894a
-
SHA512
16898c7d3c657f28d8c25a7fbcb25132b003119c9d933aa04e332c320a890a8c1a72ac1d5c6948df2e4b940c1f805b1d818aea24be527e473d6e69345e06fc6a
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-