General
-
Target
d112da3669da0ca1489eef57ab3c6a6edcece5beea581b964b721679d66d79d7
-
Size
1.5MB
-
Sample
231101-ykj48scf4y
-
MD5
11baf84e51a2c3a6469db2d12d9df1f5
-
SHA1
34a5febeacfb91ce21ce4e72f47edc86cbeced58
-
SHA256
c3302e85da983398265f853078caa80a9fafbfa5002e734c63381c724ad54c48
-
SHA512
2bdbe2114207c19bee1890e6d793e49b4631cbb191f20df3ac120957807dd8428b76acfcb2d78ebdc5b425085ce7a09f53bd3f001c42ebfaf233891513f02aa4
-
SSDEEP
24576:W/yUo6T8tH1tuSOfLlN/E7st6kFi9lwS9fu3vSbDjVX72kAsn5e6RiUzqmoNIVXT:BeT8sZI7stU9lwCfo8fVL2M5en4oGJT
Static task
static1
Behavioral task
behavioral1
Sample
d112da3669da0ca1489eef57ab3c6a6edcece5beea581b964b721679d66d79d7.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Targets
-
-
Target
d112da3669da0ca1489eef57ab3c6a6edcece5beea581b964b721679d66d79d7
-
Size
1.5MB
-
MD5
5144e7563fedae4f5db1f52e55a6af82
-
SHA1
08ea7334a42fc5b8718d93600e8d796713f5c0d7
-
SHA256
d112da3669da0ca1489eef57ab3c6a6edcece5beea581b964b721679d66d79d7
-
SHA512
fd63fff8a13a7ef6e000f2cd4fff0a58447354a28dc18116c4eef714f5659f0e570ff827102239d91614a15f9fd2fdf9a536339157b1eb293f363cde82c43d43
-
SSDEEP
24576:eyFguN811BVuzRfLpp/IJCBgkFE0b4vS9fmJfSJljRY72kAQn3eARmuOJIrY:t5N8ydoJCBpEvCfCI9RY2w3eFu1
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1