General
-
Target
46d94d716c58e2da156612f859145215.bin
-
Size
1.5MB
-
Sample
231102-b7gajafa6y
-
MD5
76081bfb2a63689e768a1fdfea7005fc
-
SHA1
0ba8f760b61e535ffeb449d5696556d01b123f88
-
SHA256
e29a31ec90157c6987ddcd55ca3627a6ca970105a276f977c0ac0b8e49940634
-
SHA512
2a7dbf8246717dacd954047cb198668447094d0c3151f05e1a872ea082aa09d658032063c355f9586ad7cdd262239e60bd781f796a3416256ec213b3b843a2f5
-
SSDEEP
24576:Ua8Nssi6OHz69X6id3O+yLmLXNUiQF1I6z0dv6LUy8uCjjNTavgGccsP88JVRy:nLLX4DJ1LdUicq1XV9GcC4Py
Static task
static1
Behavioral task
behavioral1
Sample
57d2044bd63b380c7600b1d8d6b396197c6d3b8636ee6ef7ee74f57695a69bc2.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
plost
77.91.124.86:19084
Extracted
redline
kedru
77.91.124.86:19084
Targets
-
-
Target
57d2044bd63b380c7600b1d8d6b396197c6d3b8636ee6ef7ee74f57695a69bc2.exe
-
Size
1.5MB
-
MD5
46d94d716c58e2da156612f859145215
-
SHA1
9d5810b3c1e7167a3f6afdf740080947585f4d3e
-
SHA256
57d2044bd63b380c7600b1d8d6b396197c6d3b8636ee6ef7ee74f57695a69bc2
-
SHA512
9c72d1342e56e82662d06f3d67ada50b3c858665c798e4bf5556a9246970278e42c4466b44cd0b589a00ed907902ecf3864270d0cbe5c39dca239b43aa9ca69d
-
SSDEEP
49152:VNeeldyS3eX8snW3UY5eqUm5Rty8fyY6kJ+c6ZYSq:iqdF3eXDWx5fRtyVZZ
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1