General
-
Target
0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620
-
Size
5.3MB
-
Sample
230715-felrrsha29
-
MD5
5247f286b68bc92d3035e205c669ba43
-
SHA1
a2300146f6545e570f5e0b290c59a60aed8d00b7
-
SHA256
0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620
-
SHA512
bf312c2603ca5445ccfc1820920101a92b92e109f65a2e87623feb567e805674ca632c0464870efab4974bc0464e8a0cc41e24acab6f555310cb282d2feba2a3
-
SSDEEP
98304:5RQP+mv3dnIJUp+EQkeScktlsJMDIpnFSFJeQ6J95tCn7fv:Hevt+5EZikLs6IBFK6J95o7fv
Static task
static1
Behavioral task
behavioral1
Sample
0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe
Resource
win10-20230703-en
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
120723_rc_11
rcam.tuktuk.ug:11290
-
auth_value
3a7b4b38a7116be1f337083fb37de790
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Targets
-
-
Target
0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620
-
Size
5.3MB
-
MD5
5247f286b68bc92d3035e205c669ba43
-
SHA1
a2300146f6545e570f5e0b290c59a60aed8d00b7
-
SHA256
0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620
-
SHA512
bf312c2603ca5445ccfc1820920101a92b92e109f65a2e87623feb567e805674ca632c0464870efab4974bc0464e8a0cc41e24acab6f555310cb282d2feba2a3
-
SSDEEP
98304:5RQP+mv3dnIJUp+EQkeScktlsJMDIpnFSFJeQ6J95tCn7fv:Hevt+5EZikLs6IBFK6J95o7fv
-
Detect Fabookie payload
-
Glupteba payload
-
Modifies security service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1