General
-
Target
361a0108b53be576572fdef0392c9c1b76d47f00d281ead2891c91a5f42b1272
-
Size
1.5MB
-
Sample
231101-1hzs1sdd6z
-
MD5
0c11ad5828e7fe026ad1264919776dde
-
SHA1
0742b931b20a5d5e10faffbb9c1c5e54de565761
-
SHA256
bc77623e677780111e6715d105a0e44c46f45c68901d26056876ce4a3dde1091
-
SHA512
f69df8c2da964e697d4d1bf1a2d20238bc883ea91cdc74aa348a98bc88e8d9f6c01b4a76610e8dfc12b664d766e3422e23fa6176112694021f4363ddcc575809
-
SSDEEP
24576:hyNIsRG3Xhs2q/OVSsyiaJtG8oyCMHP8RcYMRJW6EKrbRUq0bjU5Dr6faIeBRumG:UNl4o/OTPa5oyCMptEwbRIbEL/un
Static task
static1
Behavioral task
behavioral1
Sample
361a0108b53be576572fdef0392c9c1b76d47f00d281ead2891c91a5f42b1272.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kinza
77.91.124.86:19084
Targets
-
-
Target
361a0108b53be576572fdef0392c9c1b76d47f00d281ead2891c91a5f42b1272
-
Size
1.5MB
-
MD5
0cfd151bfb976d0d5f05d09b70b2ff69
-
SHA1
69e8db15c9427daffc2653dfdf6c7fce44180718
-
SHA256
361a0108b53be576572fdef0392c9c1b76d47f00d281ead2891c91a5f42b1272
-
SHA512
e62f1c28aa6e65b3b6d406f003d6091a614394b60f73d83aaf46c78154fb5cb82034f43febd0500823396f3c2c0910fa12c3c28784d2f60285308326abdb362a
-
SSDEEP
24576:iyIstJ371Xhq2+2yee/4VKe+uattS8oqCMRP8TccM5JM8EKU2CbRE3t03jY5y6ff:Jlt97Y22/4zLapoqCwFPEFbR53lBBu
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1