General
-
Target
21c581fc8290a9b48495c00a9b41c04a.exe
-
Size
2.5MB
-
Sample
220420-lh8ctsbgaj
-
MD5
21c581fc8290a9b48495c00a9b41c04a
-
SHA1
21b76cbf267a5793148bfcf6ef9a4c85d0044c0b
-
SHA256
2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454
-
SHA512
26f3bfa7706a2474afe7034a0f93c3540ad09fc31f4fbf498df7185652a0ab50398f31362696ca702677e83412f3912a0a8b5f34ba0dd1e2f49a8c5106362d8d
Static task
static1
Behavioral task
behavioral1
Sample
21c581fc8290a9b48495c00a9b41c04a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
21c581fc8290a9b48495c00a9b41c04a.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
smokeloader
2020
http://hydroxychl0roquine.xyz/
https://hydroxychl0roquine.xyz/
Extracted
redline
@ChelnEvreya
46.8.220.88:65531
-
auth_value
d24bb0cd8742d0e0fba1abfab06e4005
Extracted
redline
193.106.191.253:4752
88.198.110.77:4160
-
auth_value
d70abb888e21cd1fe47c5c6f98a28d12
Extracted
arkei
Default
http://92.119.160.244/Biasdmxit.php
Extracted
redline
test run
2.58.56.219:39064
-
auth_value
8d3e3da14c8032e314235e1d040823c7
Targets
-
-
Target
21c581fc8290a9b48495c00a9b41c04a.exe
-
Size
2.5MB
-
MD5
21c581fc8290a9b48495c00a9b41c04a
-
SHA1
21b76cbf267a5793148bfcf6ef9a4c85d0044c0b
-
SHA256
2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454
-
SHA512
26f3bfa7706a2474afe7034a0f93c3540ad09fc31f4fbf498df7185652a0ab50398f31362696ca702677e83412f3912a0a8b5f34ba0dd1e2f49a8c5106362d8d
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-