General
-
Target
c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273_JC.exe
-
Size
1.5MB
-
Sample
230912-qszwnach8x
-
MD5
7c9a817e63843b6f41e203cd3cf7f47a
-
SHA1
46d0dae4d90a73aa9d3549d377eed4ee158a9558
-
SHA256
c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273
-
SHA512
38f2972072c8d5cac7625ee3f9a0f2e2420b2f4da7954e07077a7b86d01a9f7877b32ca96eb354768354e22e39721d0f166004b3cd575e5060caffed132fe3b6
-
SSDEEP
24576:poeCJ4evdU0MvbTT+GTD7Oqrr7AgDN1JvFjfDxWNb2EPB/eDzBxnPFuSvOR232vS:SeCJ4Ud/8Pd/7/8gDnHjDxgb9QDzBBw2
Static task
static1
Behavioral task
behavioral1
Sample
c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273_JC.exe
Resource
win10v2004-20230831-en
Malware Config
Extracted
redline
smokiez_build
194.169.175.232:45450
-
auth_value
2e68bc276986767f0f14a3d75567abcd
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
tuco
77.91.124.82:19071
-
auth_value
dcfeb759bae9232de006fc3a4b34ac53
Targets
-
-
Target
c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273_JC.exe
-
Size
1.5MB
-
MD5
7c9a817e63843b6f41e203cd3cf7f47a
-
SHA1
46d0dae4d90a73aa9d3549d377eed4ee158a9558
-
SHA256
c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273
-
SHA512
38f2972072c8d5cac7625ee3f9a0f2e2420b2f4da7954e07077a7b86d01a9f7877b32ca96eb354768354e22e39721d0f166004b3cd575e5060caffed132fe3b6
-
SSDEEP
24576:poeCJ4evdU0MvbTT+GTD7Oqrr7AgDN1JvFjfDxWNb2EPB/eDzBxnPFuSvOR232vS:SeCJ4Ud/8Pd/7/8gDnHjDxgb9QDzBBw2
-
Detects Healer an antivirus disabler dropper
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Impair Defenses
1Disable or Modify Tools
1Scripting
1