General
-
Target
b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
-
Size
335KB
-
Sample
230626-q1s33shh92
-
MD5
b5237a3f0b1db945c1fe3f9ba71e3ff2
-
SHA1
ba302c3c2490a3b1b04cfbdd76097f2444a54700
-
SHA256
239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2
-
SHA512
9879c4cd6e995916cbd8cb16f6cb3982b48b0ffc5d01479e2c2f3f73ae46a5129893571f94ded70a0ad61a1340c67ef8214018bbc7e1e17fd5395a4f55fb78a1
-
SSDEEP
6144:d/sM+uEe4oleWZxrigxyZdXlgdqUh+LoXl4m34fX6Rs+j2exWLsxAFFDwkGklYkv:5sM+uEe30D67j2exWPFxwkiVi
Static task
static1
Behavioral task
behavioral1
Sample
b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
Resource
win10v2004-20230621-en
Malware Config
Extracted
redline
1
dexstat255.xyz:46578
-
auth_value
c4805fc19583231a4c5bb64b0e833716
Extracted
systembc
adstat277xm.xyz:4044
demstat377xm.xyz:4044
Extracted
smokeloader
2022
http://serverlogs37.xyz/statweb255/
http://servblog757.xyz/statweb255/
http://dexblog45.xyz/statweb255/
http://admlogs.online/statweb255/
http://blogstat355.xyz/statweb255/
http://blogstatserv25.xyz/statweb255/
Targets
-
-
Target
b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
-
Size
335KB
-
MD5
b5237a3f0b1db945c1fe3f9ba71e3ff2
-
SHA1
ba302c3c2490a3b1b04cfbdd76097f2444a54700
-
SHA256
239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2
-
SHA512
9879c4cd6e995916cbd8cb16f6cb3982b48b0ffc5d01479e2c2f3f73ae46a5129893571f94ded70a0ad61a1340c67ef8214018bbc7e1e17fd5395a4f55fb78a1
-
SSDEEP
6144:d/sM+uEe4oleWZxrigxyZdXlgdqUh+LoXl4m34fX6Rs+j2exWLsxAFFDwkGklYkv:5sM+uEe30D67j2exWPFxwkiVi
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (371) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-