General
-
Target
JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4
-
Size
207KB
-
Sample
230902-nnmdnacf89
-
MD5
29f9c469d2695d3d90204fd2f7226efd
-
SHA1
4ec4b5892bbeac6e37e8c609b54648bf40a123bb
-
SHA256
75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4
-
SHA512
b29421b982a1801ecb957c2868c9987c187979258f16e3493f2456e8ffaa0cee78da4129aba2b2e726351ba807ec813eaa5a375b36c24f2035a6eb0cd503f7cc
-
SSDEEP
3072:rDVjvYR+L4xC/yx9J2pJgZwl36OkjfWVEEcoTyYR:fCR+L4CMqBN6Ok6VeM9
Static task
static1
Behavioral task
behavioral1
Sample
JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4.exe
Resource
win10v2004-20230831-en
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
Extracted
redline
installs
162.55.189.218:26952
-
auth_value
4bdfa4191a2826ff2af143a4691bab78
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6538641198:AAHYdHyZFemLu-2_NIdt0LLw-uxUuxXCPOY/sendMessage?chat_id=5786978836
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
JC_75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4
-
Size
207KB
-
MD5
29f9c469d2695d3d90204fd2f7226efd
-
SHA1
4ec4b5892bbeac6e37e8c609b54648bf40a123bb
-
SHA256
75f1b83365dc9f8867aae86d9b8234f544d0b193743bfb012d31a258652d2bc4
-
SHA512
b29421b982a1801ecb957c2868c9987c187979258f16e3493f2456e8ffaa0cee78da4129aba2b2e726351ba807ec813eaa5a375b36c24f2035a6eb0cd503f7cc
-
SSDEEP
3072:rDVjvYR+L4xC/yx9J2pJgZwl36OkjfWVEEcoTyYR:fCR+L4CMqBN6Ok6VeM9
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
StormKitty payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Deletes itself
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-