General
-
Target
684d25e7a30de2d8f34d14d57be0e3b96086c76f154853b369d7b38407f47cca
-
Size
270KB
-
Sample
230924-s318ksgd2x
-
MD5
60c0964c8cef3e1f1d2c911423fd4fef
-
SHA1
a4c413f722348b530f525faa24fa536728b46b29
-
SHA256
684d25e7a30de2d8f34d14d57be0e3b96086c76f154853b369d7b38407f47cca
-
SHA512
d319eedf7035d9889ebce9ce18aaa6ea8fe374a4efa0de7eb353f019a62580842d5833ac9c9e3362146a6e223a84a4f6123a04102f0d4ab4b180aa163d4d05ea
-
SSDEEP
6144:XRuhrJ+j+5j68KsT6h/OCy5U9uAO+ARs20eyqw6:XR4N+j+5+RsqGGu1Rs20e/w6
Static task
static1
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
684d25e7a30de2d8f34d14d57be0e3b96086c76f154853b369d7b38407f47cca
-
Size
270KB
-
MD5
60c0964c8cef3e1f1d2c911423fd4fef
-
SHA1
a4c413f722348b530f525faa24fa536728b46b29
-
SHA256
684d25e7a30de2d8f34d14d57be0e3b96086c76f154853b369d7b38407f47cca
-
SHA512
d319eedf7035d9889ebce9ce18aaa6ea8fe374a4efa0de7eb353f019a62580842d5833ac9c9e3362146a6e223a84a4f6123a04102f0d4ab4b180aa163d4d05ea
-
SSDEEP
6144:XRuhrJ+j+5j68KsT6h/OCy5U9uAO+ARs20eyqw6:XR4N+j+5+RsqGGu1Rs20e/w6
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-