General
-
Target
f13899dec145e83e8a1a7ee5be6fca18a24461d60bddd388c121d76c53eced90
-
Size
2.2MB
-
Sample
220511-l33cbagcg3
-
MD5
1f8f8cc2fb5c5e5af84558cdf927205c
-
SHA1
7a4ab20469c3e0054e9dacf84a8157fcccf4e59d
-
SHA256
f13899dec145e83e8a1a7ee5be6fca18a24461d60bddd388c121d76c53eced90
-
SHA512
4a5a5e2fb4505d16c3746a27839f5b72f8c17f4e1d88a10d4d52fff0b7e9c0de73ed2d6551dad3b621e1a378fae92591ca55745d93cd8b0fa127e38fd12f14af
Static task
static1
Behavioral task
behavioral1
Sample
f13899dec145e83e8a1a7ee5be6fca18a24461d60bddd388c121d76c53eced90.exe
Resource
win10-20220414-en
Malware Config
Extracted
smokeloader
2020
http://agressivemnaiq.xyz/
https://agressivemnaiq.xyz/
Extracted
redline
us
94.130.222.120:29240
-
auth_value
521267bd2f00cb305e87075b05d009f9
Extracted
redline
MixW
94.130.222.120:29240
-
auth_value
13e177d0765ee6b55bd8c1f11560c773
Targets
-
-
Target
f13899dec145e83e8a1a7ee5be6fca18a24461d60bddd388c121d76c53eced90
-
Size
2.2MB
-
MD5
1f8f8cc2fb5c5e5af84558cdf927205c
-
SHA1
7a4ab20469c3e0054e9dacf84a8157fcccf4e59d
-
SHA256
f13899dec145e83e8a1a7ee5be6fca18a24461d60bddd388c121d76c53eced90
-
SHA512
4a5a5e2fb4505d16c3746a27839f5b72f8c17f4e1d88a10d4d52fff0b7e9c0de73ed2d6551dad3b621e1a378fae92591ca55745d93cd8b0fa127e38fd12f14af
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-