General
-
Target
file
-
Size
439KB
-
Sample
230708-rj3fvsfh2z
-
MD5
db5dea81bb668fa4386d2ea8ecbe9e1c
-
SHA1
642f1d9423d883854a06f50b03619c16fe33281a
-
SHA256
abd8284914e8bc1309c13903e7b41b1af552c80598982c9e8fbe35e88eda9315
-
SHA512
b7a0a78a34d2a1f00385b58fd172e4d0c9224c9d1020fe656a7bc4414dadc4ab24e40ad6736f905208747c8d048da0f4efea1af965c12a218d46305f90721fad
-
SSDEEP
12288:kehYGKhh2CbBZ0MjA7Yhsd7R6jOP1tcrEQf:ZiGKPZbYBYhsd7dtF
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230703-en
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
smokeloader
pub5
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
070723_rc_11
amrc.tuktuk.ug:11290
-
auth_value
5c003bb2a44f6538df34879227a9ad34
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Targets
-
-
Target
file
-
Size
439KB
-
MD5
db5dea81bb668fa4386d2ea8ecbe9e1c
-
SHA1
642f1d9423d883854a06f50b03619c16fe33281a
-
SHA256
abd8284914e8bc1309c13903e7b41b1af552c80598982c9e8fbe35e88eda9315
-
SHA512
b7a0a78a34d2a1f00385b58fd172e4d0c9224c9d1020fe656a7bc4414dadc4ab24e40ad6736f905208747c8d048da0f4efea1af965c12a218d46305f90721fad
-
SSDEEP
12288:kehYGKhh2CbBZ0MjA7Yhsd7R6jOP1tcrEQf:ZiGKPZbYBYhsd7dtF
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-