General
-
Target
26878e647ffe5a7bfde7c35788afc018215907148bfa6a191ec28429abf9f74f
-
Size
321KB
-
Sample
230923-jzka8adh8v
-
MD5
2b7286938762a111e45b96fced3e05dc
-
SHA1
9dc07c05ff7ad86d7b7e61f4877303d776cf69aa
-
SHA256
26878e647ffe5a7bfde7c35788afc018215907148bfa6a191ec28429abf9f74f
-
SHA512
adb9205a57b03b7e3ed0f22876811a68e7c7d2c9699277c121d4e2e8f1a2d5deb3d94120238a6267e9b408189dd514cabd30ee636dbc3d7c2b5fef9bc1772991
-
SSDEEP
6144:1v0QHhFek7FnaFDpMM1rxX6lX5DU4Bue:1sQB0k7FYK+l6lpUc
Static task
static1
Behavioral task
behavioral1
Sample
26878e647ffe5a7bfde7c35788afc018215907148bfa6a191ec28429abf9f74f.exe
Resource
win10-20230915-en
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.38.95.107:42494
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
26878e647ffe5a7bfde7c35788afc018215907148bfa6a191ec28429abf9f74f
-
Size
321KB
-
MD5
2b7286938762a111e45b96fced3e05dc
-
SHA1
9dc07c05ff7ad86d7b7e61f4877303d776cf69aa
-
SHA256
26878e647ffe5a7bfde7c35788afc018215907148bfa6a191ec28429abf9f74f
-
SHA512
adb9205a57b03b7e3ed0f22876811a68e7c7d2c9699277c121d4e2e8f1a2d5deb3d94120238a6267e9b408189dd514cabd30ee636dbc3d7c2b5fef9bc1772991
-
SSDEEP
6144:1v0QHhFek7FnaFDpMM1rxX6lX5DU4Bue:1sQB0k7FYK+l6lpUc
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Stops running service(s)
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1