General
-
Target
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.zip
-
Size
140KB
-
Sample
230311-s6kp1aca6t
-
MD5
df5af7d049c41c12cc017feb5c46d1fc
-
SHA1
6dfde96c74e1249ea39f2af1dfb17b28ed75a2a8
-
SHA256
5f1fa1d46b0a90a855db5a2b0100ae83164fc1168587373a2b62ee22f75cbe54
-
SHA512
b89d099825c6020dc4840d211ca419e4c55aead80a835f602fdad8f63d24bb5ef7d45c4f8bf1ff784acb28fd8f383c096e5c23e7bb2301e40aac13bf63387be4
-
SSDEEP
3072:NV0ijW8SZgrAXJXr62rHwOa+6D3L5UQQ8DIzxuvaDQZgCwZLM7gF8b8:NV0ij4JXpQzqQQ8DItuvaDUHgk8
Static task
static1
Behavioral task
behavioral1
Sample
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
Resource
win7-20230220-en
Malware Config
Extracted
smokeloader
2023
Extracted
smokeloader
2022
http://c3g6gx853u6j.xyz/
http://04yh16065cdi.xyz/
http://33qd2w560vnx.xyz/
http://neriir0f76gr.com/
http://b4y08hrp3jdb.com/
http://swp6fbywla09.com/
http://7iqt53dr345u.com/
http://mj4aj8r55mho.com/
http://ne4ym7bjn1ts.com/
Extracted
redline
02-700-2
167.235.133.96:43849
-
auth_value
8af50b3310e79fa317eef66b1e92900f
Extracted
redline
37.220.87.13:40676
-
auth_value
867b4fb099bee5476c9e3f8bc16937ad
Targets
-
-
Target
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
-
Size
215KB
-
MD5
64e1d7ec7103d1a04029c4db2941a8d3
-
SHA1
706a486a113041efd175ed05bf86fd5aad67083f
-
SHA256
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f
-
SHA512
b38c7104b5406ef1ef212637c7bf201e182359f5bed078ca9718ebfbf0ed5f59927a612ce422e7eab692c591c9089c8c3231f49966e75e28af7c2ff0f675277d
-
SSDEEP
3072:paUIvLUh91b504gy5kJM0yD1h52aNfC6YQGJ58ZdIqxQYzEVb:sUwLk91sZyphoaNfLYrJ58FFzyb
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-