General
-
Target
a10050075a0d60a634c91b5d7631f736e65f7a638a9a0ea7a2703b7871776b71
-
Size
251KB
-
Sample
230817-fneptafd27
-
MD5
d24e552f2a57bbd6fef597e88a8cd46d
-
SHA1
00c5360cdb57031b421b4e35641040af0d1dfd0c
-
SHA256
a10050075a0d60a634c91b5d7631f736e65f7a638a9a0ea7a2703b7871776b71
-
SHA512
ac21d7970997b9d005c3a33f6a77fce0a6832689cbfca9fd2fa54e713fc3105ef7ad51a066dd754a8a1ae6ccfe0961ddb305e104d9172306f3334b2dbe7ae6cd
-
SSDEEP
3072:FUz4htJbtTzqpnntsEssR59JeNpLyytvJALY+yzhdsK:uzKnWnntsEDwpf+Y+yzR
Static task
static1
Behavioral task
behavioral1
Sample
a10050075a0d60a634c91b5d7631f736e65f7a638a9a0ea7a2703b7871776b71.exe
Resource
win10-20230703-en
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://greenbi.net/tmp/
http://speakdyn.com/tmp/
http://pik96.ru/tmp/
Extracted
redline
lux3
176.123.9.142:14845
-
auth_value
e94dff9a76da90d6b000642c4a52574b
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.83.170.21:19447
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Extracted
smokeloader
pub1
Extracted
smokeloader
up3
Targets
-
-
Target
a10050075a0d60a634c91b5d7631f736e65f7a638a9a0ea7a2703b7871776b71
-
Size
251KB
-
MD5
d24e552f2a57bbd6fef597e88a8cd46d
-
SHA1
00c5360cdb57031b421b4e35641040af0d1dfd0c
-
SHA256
a10050075a0d60a634c91b5d7631f736e65f7a638a9a0ea7a2703b7871776b71
-
SHA512
ac21d7970997b9d005c3a33f6a77fce0a6832689cbfca9fd2fa54e713fc3105ef7ad51a066dd754a8a1ae6ccfe0961ddb305e104d9172306f3334b2dbe7ae6cd
-
SSDEEP
3072:FUz4htJbtTzqpnntsEssR59JeNpLyytvJALY+yzhdsK:uzKnWnntsEDwpf+Y+yzR
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Deletes itself
-
Executes dropped EXE
-
Modifies file permissions
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-