Overview

overview

10

Static

static

3

73628586c7...4a.exe

windows7-x64

10

73628586c7...4a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    73628586c7c2b8835c904d9fab72a256c9b7a69df68a1f85fe50fe94545f3c4a

  • Size

    321KB

  • Sample

    231101-1qjrrsde6t

  • MD5

    d3da6b08f4c98b506f43e6ea23cc6022

  • SHA1

    79d448c6112fb2d09ae06b6facd75f2c7d974723

  • SHA256

    3546beb118d30291d229803031f3de33f645044b90032a0d2a6a39341d001d18

  • SHA512

    2a037dd8f3db66776e253a158439a55610ea14f75d0523b8c3a752c16e5e0190730cf1fe3ae04945122c9e09dd832d22c226f38eafdeb6e1ff6973c99d977c78

  • SSDEEP

    6144:5dPFedEpZOrU2Ii81SYc9sVBrnctueYq1A742q21yZbWQ:5dosM4i8gxs3Xq1N2q21yZ3

Score
10/10
redlinesmokeloadergromekinzabackdoorgooglepaypalinfostealerpersistencephishingtrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Targets

    • Target

      73628586c7c2b8835c904d9fab72a256c9b7a69df68a1f85fe50fe94545f3c4a

    • Size

      891KB

    • MD5

      d458b50c0bc7724c0ac4641a53e540f1

    • SHA1

      771ec67bb148baed1ca7351b0733a6fe83ae9d80

    • SHA256

      73628586c7c2b8835c904d9fab72a256c9b7a69df68a1f85fe50fe94545f3c4a

    • SHA512

      44223168dfd6b020f45902c63adc0e5d05abc1b2aacc262b7bf7b138f108ae4dfd5b5e20ea38ade0072d26254b0eec6e6764f78039b2d5fd0de62d5d2fec45c2

    • SSDEEP

      12288:WqAP1oO7rmNwdUUEE+qgnulOdnuODG9KDFkXbzyu2yYybAPAP:oaUmNwdUUEE+B1dbS9KDF6AP

    Score
    10/10
    redlinesmokeloadergromebackdoorgoogleinfostealerpersistencephishingtrojankinzapaypal

    • Detected google phishing page

      phishinggoogle

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Detected potential entity reuse from brand paypal.

      phishingpaypal

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks