General
-
Target
673e0f6580489c78574074b7be278583bbc0a9696b7dc91eefe38076dbe9e9de
-
Size
160KB
-
Sample
231011-ygy4zsba94
-
MD5
c9296d00dfea0eb9bd9365f78f720453
-
SHA1
ddb3d55771e5b1ad2fa83b82fe0d57723f2f6e47
-
SHA256
91d80659bbc16854665ee8f1aaa77b7a8ad9329a37d93a518d98513c646b8a25
-
SHA512
618d259e547d7231ca05554a7986eb7baea90e83bf918f32bcdd00fc95304f4f13ac766d3f4d673c123f2d902a8dbd8f02414a07a5ba87f68597ac4f1412df8c
-
SSDEEP
3072:BtqUPtfJMt/D9Pt5uM8uU7+q4Z7ZFzooMDcmaSqtMEuL8eofbPgqX:BtqyJyLL5uM8MqUjkopmal+l8Z3
Static task
static1
Behavioral task
behavioral1
Sample
673e0f6580489c78574074b7be278583bbc0a9696b7dc91eefe38076dbe9e9de.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
673e0f6580489c78574074b7be278583bbc0a9696b7dc91eefe38076dbe9e9de.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
amadey
3.83
http://5.42.65.80/8bmeVwqx/index.php
-
install_dir
207aa4515d
-
install_file
oneetx.exe
-
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4
Extracted
redline
pixelscloud
85.209.176.171:80
Extracted
redline
@ytlogsbot
185.216.70.238:37515
Extracted
redline
breha
77.91.124.55:19071
Extracted
redline
kukish
77.91.124.55:19071
Targets
-
-
Target
673e0f6580489c78574074b7be278583bbc0a9696b7dc91eefe38076dbe9e9de
-
Size
270KB
-
MD5
65d65b4be02ae073ce74aab846a5c2a1
-
SHA1
ed84f9bceae6ff5a5b6434bb738c847ea8ced05a
-
SHA256
673e0f6580489c78574074b7be278583bbc0a9696b7dc91eefe38076dbe9e9de
-
SHA512
439d71c376e913cd180d645b6ca7e198687201cda79bc8bc78632e33c18e962b9c670498f4c74cf17a3b6d6713da5ec7e2ae468b3a27723fd6e0298932c577be
-
SSDEEP
6144:2RahrJ+j+5j68KsT6h/OCy5U9uAORAF7NR3sqw6:2RkN+j+5+RsqGGuAFZHw6
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Healer an antivirus disabler dropper
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Scripting
1