General
-
Target
NEAS.541ca6bc7b33b1867420b1f8ce76a390.exe
-
Size
1.4MB
-
Sample
231101-rf14maca2s
-
MD5
541ca6bc7b33b1867420b1f8ce76a390
-
SHA1
eaab61a9430c5ba04c8159fa82ab2677b2d17af2
-
SHA256
b1b3191ac65a0cc5a4a9745770420e4f67a919fb48b117b4bbd44b3528313fda
-
SHA512
50e2a863ae8eb8137d2caff089147480078123908f682872c51ee23fb0ba846b83fd443fccb39c841423a765771fa0a82d64207eb1fb9471f901578bdc85d667
-
SSDEEP
24576:syEfx0xyiFBskBZhlAIr8Z4mQYgOluIqI7TkvQJsF9Lv4lnBG3JRMpJw:bEx2yaTln4al/TK5kLknBqRM
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.541ca6bc7b33b1867420b1f8ce76a390.exe
Resource
win10v2004-20231025-en
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Targets
-
-
Target
NEAS.541ca6bc7b33b1867420b1f8ce76a390.exe
-
Size
1.4MB
-
MD5
541ca6bc7b33b1867420b1f8ce76a390
-
SHA1
eaab61a9430c5ba04c8159fa82ab2677b2d17af2
-
SHA256
b1b3191ac65a0cc5a4a9745770420e4f67a919fb48b117b4bbd44b3528313fda
-
SHA512
50e2a863ae8eb8137d2caff089147480078123908f682872c51ee23fb0ba846b83fd443fccb39c841423a765771fa0a82d64207eb1fb9471f901578bdc85d667
-
SSDEEP
24576:syEfx0xyiFBskBZhlAIr8Z4mQYgOluIqI7TkvQJsF9Lv4lnBG3JRMpJw:bEx2yaTln4al/TK5kLknBqRM
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1