General
-
Target
d70c78709aed556d398e6144a7c8b607cc4b80c955a50fa60aa29fb21c3614be
-
Size
957KB
-
Sample
231101-zp39caeg86
-
MD5
cbe32f1fcf5a77fe198bccdce3067827
-
SHA1
9f542ad5bc75e53bce25a79281a9ae9986f1cb95
-
SHA256
d70c78709aed556d398e6144a7c8b607cc4b80c955a50fa60aa29fb21c3614be
-
SHA512
069af973fb48f149f6c3bc42542fe1f21133787db19b832733c5781396c0bc4d70a0253602e70b5ee8e41bce5f1bbabf102322f6dd7575cd3f1d144f4a04d1db
-
SSDEEP
12288:KbcUfo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTEkV:XUw2dAK4tf+BVHHkIoRj3cQD
Static task
static1
Behavioral task
behavioral1
Sample
d70c78709aed556d398e6144a7c8b607cc4b80c955a50fa60aa29fb21c3614be.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
d70c78709aed556d398e6144a7c8b607cc4b80c955a50fa60aa29fb21c3614be.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
redline
kinza
77.91.124.86:19084
Targets
-
-
Target
d70c78709aed556d398e6144a7c8b607cc4b80c955a50fa60aa29fb21c3614be
-
Size
957KB
-
MD5
cbe32f1fcf5a77fe198bccdce3067827
-
SHA1
9f542ad5bc75e53bce25a79281a9ae9986f1cb95
-
SHA256
d70c78709aed556d398e6144a7c8b607cc4b80c955a50fa60aa29fb21c3614be
-
SHA512
069af973fb48f149f6c3bc42542fe1f21133787db19b832733c5781396c0bc4d70a0253602e70b5ee8e41bce5f1bbabf102322f6dd7575cd3f1d144f4a04d1db
-
SSDEEP
12288:KbcUfo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTEkV:XUw2dAK4tf+BVHHkIoRj3cQD
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1