Overview

overview

10

Static

static

750af2e33f...ed.exe

windows7-x64

10

750af2e33f...ed.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    750af2e33ff183e381e853af4fd7a4b16500639a6d109e1600a04f5fba65caed.zip

  • Size

    105KB

  • Sample

    221113-2rslqsge91

  • MD5

    05437bc0c9af40a6f2e43af190bb1364

  • SHA1

    f9d109c876da136d77729116aa4cb9074bfd1eaf

  • SHA256

    8d5463d6b5392687c885cea7478f814e0970d6a8a5e554aa72804535c48bd514

  • SHA512

    e9475f8788b5f9f5b28da6e4b66edbd37b88a7762e164c3d432e44750ff51062715f1499abbb8232675bc52f8771423deffe8bbabcd737d2d12daf99d37684ed

  • SSDEEP

    1536:UxghTGzg2FJUy2jbbr0OT3IKGKI0b4+pn8JUtDFD29VDHaOppg6mql8ZRkl6agk4:Ua4kO6bbrxT3vGKJxp8Jpb7a0UqODDAa

Score
10/10
redlinesmokeloadergoogle2new1113backdoordiscoveryinfostealerspywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

Google2

C2

167.235.71.14:20469

Attributes
  • auth_value

    fb274d9691235ba015830da570a13578

Extracted

Family

redline

Botnet

new1113

C2

jalocliche.xyz:81

chardhesha.xyz:81
Attributes
  • auth_value

    bce8d71b3146db7b78f06ec6ae28bdd9

Targets

    • Target

      750af2e33ff183e381e853af4fd7a4b16500639a6d109e1600a04f5fba65caed.exe

    • Size

      153KB

    • MD5

      c9b8a56ae44d31bf77e38425277cf79f

    • SHA1

      ef24cff7cc9e4b9fbb6888f7d80d51a91855211e

    • SHA256

      750af2e33ff183e381e853af4fd7a4b16500639a6d109e1600a04f5fba65caed

    • SHA512

      084b3131d17c26e751ee6273ad759b9773f3a174d88c26de82c2a712ee8b6b16f3f2163c16252e4dd7d9c6d32c9068d8a622101cc24188de924f35d3e7f02620

    • SSDEEP

      3072:FYY5LEyU+qcXE55bUfmsLppTR5A69wAEVzTlVwWbqS7:nLEyU+9YWmOppTR6swAE9lVbuK

    Score
    10/10
    smokeloaderbackdoortrojanredlinegoogle2new1113discoveryinfostealerspywarestealerupx

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks