General
-
Target
8bde5778f160ff8a1a646b7c465d2298.exe
-
Size
274KB
-
Sample
230303-g4btjagd92
-
MD5
8bde5778f160ff8a1a646b7c465d2298
-
SHA1
5b7d72da8df173c20b836f45e6456aed093bc787
-
SHA256
98e2adbab29c57b143ce56eebfa10e13b3f9624b98320a4168760eb46ca22209
-
SHA512
4f73eccc1fda675ce2c499eaac60171132107f52d4a650d1c9babe1789b53ae433af2a6c99b36eed4ae24495921d67aa8ec12456d794017fbab93922532bb5f4
-
SSDEEP
3072:j6G/gFIuLRu5dscEHbmIYOrNCtQUnBTshvOkZEHvr:WGI9LRKdX3gC9+dXW
Static task
static1
Behavioral task
behavioral1
Sample
8bde5778f160ff8a1a646b7c465d2298.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8bde5778f160ff8a1a646b7c465d2298.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
smokeloader
2022
http://c3g6gx853u6j.xyz/
http://04yh16065cdi.xyz/
http://33qd2w560vnx.xyz/
http://neriir0f76gr.com/
http://b4y08hrp3jdb.com/
http://swp6fbywla09.com/
http://7iqt53dr345u.com/
http://mj4aj8r55mho.com/
http://ne4ym7bjn1ts.com/
Extracted
redline
45.15.157.131:36457
37.220.87.13:40676
-
auth_value
ce706d047c7ff3fee4b0ebac927e421d
Extracted
redline
01
167.235.133.96:43849
-
auth_value
a158e35a6caac69f2614dc12bb02fdf2
Targets
-
-
Target
8bde5778f160ff8a1a646b7c465d2298.exe
-
Size
274KB
-
MD5
8bde5778f160ff8a1a646b7c465d2298
-
SHA1
5b7d72da8df173c20b836f45e6456aed093bc787
-
SHA256
98e2adbab29c57b143ce56eebfa10e13b3f9624b98320a4168760eb46ca22209
-
SHA512
4f73eccc1fda675ce2c499eaac60171132107f52d4a650d1c9babe1789b53ae433af2a6c99b36eed4ae24495921d67aa8ec12456d794017fbab93922532bb5f4
-
SSDEEP
3072:j6G/gFIuLRu5dscEHbmIYOrNCtQUnBTshvOkZEHvr:WGI9LRKdX3gC9+dXW
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-