General
-
Target
ba8efe2177fb6ff81a33fdc05be551b805b180edc0bd113d493734bd2ae78176
-
Size
264KB
-
Sample
220508-rbx66sheb7
-
MD5
86c0240b73b0bd0528e6b1d410769851
-
SHA1
6a42adda017b1a6f6324b7ea8e8323a761cdf026
-
SHA256
ba8efe2177fb6ff81a33fdc05be551b805b180edc0bd113d493734bd2ae78176
-
SHA512
ec166e8839e6ff52a119ca7197cac8029e9de249717ede5d7aa09b1de84ab6aba6dd0421b57ffcb40cb5f2736af4e039edc1243d22405610f0000f1c9d871541
Static task
static1
Behavioral task
behavioral1
Sample
ba8efe2177fb6ff81a33fdc05be551b805b180edc0bd113d493734bd2ae78176.exe
Resource
win10-20220414-en
Malware Config
Extracted
smokeloader
2020
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
Extracted
djvu
http://ugll.org/lancer/get.php
-
extension
.egfg
-
offline_id
QcVY9rkapJoL3nQkZAsvfTFVYLmscrM1v1QxGWt1
-
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6Ti2DxXR3I Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@time2mail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0474JIjdm
Extracted
vidar
52
1333
https://t.me/hollandracing
https://busshi.moe/@ronxik321
-
profile_id
1333
Extracted
redline
2
91.241.19.193:11630
-
auth_value
8f1381a27a56c64f6bc5ea1d4744ee1a
Targets
-
-
Target
ba8efe2177fb6ff81a33fdc05be551b805b180edc0bd113d493734bd2ae78176
-
Size
264KB
-
MD5
86c0240b73b0bd0528e6b1d410769851
-
SHA1
6a42adda017b1a6f6324b7ea8e8323a761cdf026
-
SHA256
ba8efe2177fb6ff81a33fdc05be551b805b180edc0bd113d493734bd2ae78176
-
SHA512
ec166e8839e6ff52a119ca7197cac8029e9de249717ede5d7aa09b1de84ab6aba6dd0421b57ffcb40cb5f2736af4e039edc1243d22405610f0000f1c9d871541
-
Detected Djvu ransomware
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-