General
-
Target
NEAS.4e3f52f537fb3b61b27a53a2d12b4390_JC.exe
-
Size
1.4MB
-
Sample
231102-s9ps5aed3s
-
MD5
4e3f52f537fb3b61b27a53a2d12b4390
-
SHA1
1f0b873c81551fbfb99c0cc2a6c1f8589ec2ebd1
-
SHA256
e23562e2812c112ceab2d3f2e5c01b65b0a65a7c8e2e7f5b38a5456dea84244d
-
SHA512
5ec05dbe676cde9d2c4fe27d9aa76c9fca065ad328872d216b037273cc69f0e036cd4578856c46ffadb580ae4a55845eaffcd59b9116984091be282909888a6b
-
SSDEEP
24576:KyZi2wOJmJRoMxy5jK5KLcuQKDnef1Kit/XSJNPl4yzWMTJn:RHJjMcjGKLKAef1hCJNPltz5
Static task
static1
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kedru
77.91.124.86:19084
Extracted
redline
plost
77.91.124.86:19084
Targets
-
-
Target
NEAS.4e3f52f537fb3b61b27a53a2d12b4390_JC.exe
-
Size
1.4MB
-
MD5
4e3f52f537fb3b61b27a53a2d12b4390
-
SHA1
1f0b873c81551fbfb99c0cc2a6c1f8589ec2ebd1
-
SHA256
e23562e2812c112ceab2d3f2e5c01b65b0a65a7c8e2e7f5b38a5456dea84244d
-
SHA512
5ec05dbe676cde9d2c4fe27d9aa76c9fca065ad328872d216b037273cc69f0e036cd4578856c46ffadb580ae4a55845eaffcd59b9116984091be282909888a6b
-
SSDEEP
24576:KyZi2wOJmJRoMxy5jK5KLcuQKDnef1Kit/XSJNPl4yzWMTJn:RHJjMcjGKLKAef1hCJNPltz5
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1