General
-
Target
3315dcd7c2a6bf73e5130c7a57a438a1.bin
-
Size
1.5MB
-
Sample
231031-b4fvlafh4s
-
MD5
266100388790c81aecb19ee34d647d0b
-
SHA1
c412f82fba4048b333987498746a097a2b118e1b
-
SHA256
6d324a475faaa1525f0e4a015c0e1df87bf196da71ba21fe22971cec64ca0490
-
SHA512
26842dccd5bbe3df6bb1f953c546d0e1a9a5ed61f78de4344bcbc056979b061abba9dcb4132001711f9226ea9213e83e5177b61f25aeb6cc1ada8298c73ddb61
-
SSDEEP
24576:7YZCdK3E6N2PHfCfVF0I++TmdkBfTrNBVGzmHIw0YG86wM7O541+P+nex16ws:Q06N2nCtuIvK+9bVkmowa/WWuseXNs
Static task
static1
Behavioral task
behavioral1
Sample
1135797ce0da6ee99c52fd2f9cff393715dd4f6d9cf6d37e96518f44ce907e92.exe
Resource
win10v2004-20231025-en
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kinza
77.91.124.86:19084
Extracted
smokeloader
up3
Extracted
redline
@ytlogsbot
194.169.175.235:42691
Extracted
redline
pixelnew
194.49.94.11:80
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
raccoon
6a6a005b9aa778f606280c5fa24ae595
http://195.123.218.98:80
http://31.192.23
-
user_agent
SunShineMoonLight
Targets
-
-
Target
1135797ce0da6ee99c52fd2f9cff393715dd4f6d9cf6d37e96518f44ce907e92.exe
-
Size
1.5MB
-
MD5
3315dcd7c2a6bf73e5130c7a57a438a1
-
SHA1
4507d7357bb2ddacff00be586c2889160fdbef44
-
SHA256
1135797ce0da6ee99c52fd2f9cff393715dd4f6d9cf6d37e96518f44ce907e92
-
SHA512
e66fbee5c4470bc6206e46fabb44032284754613179d137225a8125ae5ae45c669bfd0fff01d5d5d1b6ce5b30a2f6c8fcf05fd21c9d31cae1102af996b4d387d
-
SSDEEP
24576:kyHEuA5MtWLEZ58n15wKb26i8oBzW0IEgLr946qO85vi50w3NK/3T66:zHc5MMLq6fwKCj8mL2Ly6kvif3Iv
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect ZGRat V1
-
Glupteba payload
-
Raccoon Stealer payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1