General
-
Target
bc587f9de7ecdecfc9a9d45207cfe5980b5a9342a9157877cfcb2026d5a8e6d6
-
Size
273KB
-
Sample
230813-n1k2csdf31
-
MD5
a7db7ad42388f409157f258de45fd4af
-
SHA1
8677a47b1400894491875e4b0e4bc86ae4152988
-
SHA256
bc587f9de7ecdecfc9a9d45207cfe5980b5a9342a9157877cfcb2026d5a8e6d6
-
SHA512
730bc6b71f44f45bf2e141aab659de8afdf3df039502be8f67c401e53ca7eea3cecf4703b418d12be760be36b10bff88801ae0bf2d090628af5a18eb55cdb398
-
SSDEEP
3072:uXULEVFLzaWVLxYrKckgYW7IP4fQMmyg8596C8bd:244FLzfVLxcOvpg6lbd
Static task
static1
Behavioral task
behavioral1
Sample
bc587f9de7ecdecfc9a9d45207cfe5980b5a9342a9157877cfcb2026d5a8e6d6.exe
Resource
win10-20230703-en
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Extracted
redline
lux3
176.123.9.142:14845
-
auth_value
e94dff9a76da90d6b000642c4a52574b
Extracted
vidar
5.1
d2840cabd9794f85353e1fae1cd95a0b
https://t.me/tatlimark
https://steamcommunity.com/profiles/76561199536605936
-
profile_id_v2
d2840cabd9794f85353e1fae1cd95a0b
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.83.170.21:19447
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Extracted
amadey
3.87
79.137.192.18/9bDc8sQ/index.php
Targets
-
-
Target
bc587f9de7ecdecfc9a9d45207cfe5980b5a9342a9157877cfcb2026d5a8e6d6
-
Size
273KB
-
MD5
a7db7ad42388f409157f258de45fd4af
-
SHA1
8677a47b1400894491875e4b0e4bc86ae4152988
-
SHA256
bc587f9de7ecdecfc9a9d45207cfe5980b5a9342a9157877cfcb2026d5a8e6d6
-
SHA512
730bc6b71f44f45bf2e141aab659de8afdf3df039502be8f67c401e53ca7eea3cecf4703b418d12be760be36b10bff88801ae0bf2d090628af5a18eb55cdb398
-
SSDEEP
3072:uXULEVFLzaWVLxYrKckgYW7IP4fQMmyg8596C8bd:244FLzfVLxcOvpg6lbd
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-