General
-
Target
8c97538d9d9f4f89a37aef0136ebfa0a56459a9aca73d5e962dd149835288b43
-
Size
232KB
-
Sample
230816-ywwbmsdg93
-
MD5
013c57f91f96219acd3cdbb7b497e88e
-
SHA1
32d8354180e1875b58870f41132ea5f59796ea82
-
SHA256
8c97538d9d9f4f89a37aef0136ebfa0a56459a9aca73d5e962dd149835288b43
-
SHA512
7f881a3ee897abda11a74085d73a0f801877f9edb803b24f2deda467981464438e84bc96f7252ebe1ba63360c0d51a793a4681ae24c64ccf5e569f42b5d95e87
-
SSDEEP
6144:nNGJLJHMwDGzqnrmasHqeghhIlsyRdad:nSFHMXzCrDsHqeg30Fa
Static task
static1
Behavioral task
behavioral1
Sample
8c97538d9d9f4f89a37aef0136ebfa0a56459a9aca73d5e962dd149835288b43.exe
Resource
win10-20230703-en
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Extracted
redline
lux3
176.123.9.142:14845
-
auth_value
e94dff9a76da90d6b000642c4a52574b
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.83.170.21:19447
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Extracted
redline
38.181.25.43:3325
-
auth_value
082cde17c5630749ecb0376734fe99c9
Extracted
smokeloader
pub1
Targets
-
-
Target
8c97538d9d9f4f89a37aef0136ebfa0a56459a9aca73d5e962dd149835288b43
-
Size
232KB
-
MD5
013c57f91f96219acd3cdbb7b497e88e
-
SHA1
32d8354180e1875b58870f41132ea5f59796ea82
-
SHA256
8c97538d9d9f4f89a37aef0136ebfa0a56459a9aca73d5e962dd149835288b43
-
SHA512
7f881a3ee897abda11a74085d73a0f801877f9edb803b24f2deda467981464438e84bc96f7252ebe1ba63360c0d51a793a4681ae24c64ccf5e569f42b5d95e87
-
SSDEEP
6144:nNGJLJHMwDGzqnrmasHqeghhIlsyRdad:nSFHMXzCrDsHqeg30Fa
-
Detected Djvu ransomware
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Deletes itself
-
Executes dropped EXE
-
Modifies file permissions
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-