Extracted

• • Target

    b625361a15c00ad25adfa2130dfa1033108cebad9705db647b64f4e43e3d8b46

  • Size

    276KB

  • MD5

    0d02c15eef61b85f35823b1c37ee6b0b

  • SHA1

    a480af11f34cb38dc11cc363d025d66743c2ba91

  • SHA256

    b625361a15c00ad25adfa2130dfa1033108cebad9705db647b64f4e43e3d8b46

  • SHA512

    bf02349edb7ba6522c472e1bda077b8a311b61a92829bd56f99bfdfb91d29ccb8a4aa91332bb0d95d31d01a0cc4c0124ddb6e69b8a880ec2e13e049641f0d3c2

  • SSDEEP

    6144:QdD7MFE2x6O9Wy9kEZ/Ouo/t4hrwVfquS:Qd0FE2D9pks/OuoF4hd

  Score

  10^/10

  redlinesmokeloadermornbackdoordiscoveryinfostealerpersistencespywarestealertrojan

  • Detects Smokeloader packer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1