General
-
Target
c3a76da20a70b7975d1e529997f37ac5.exe
-
Size
1.4MB
-
Sample
231111-sra71shc6x
-
MD5
c3a76da20a70b7975d1e529997f37ac5
-
SHA1
1e43e343a437ee830027c6af30014de83403be96
-
SHA256
e2336251279843322a02ee9337cc650d5b14a6684fe40377c8fed6529a7e370c
-
SHA512
26dbd5431f631e3149f93b1385bcc2e29e3e573df9b6eebdf7363bd289ca5affee06bcd400315ad47cc32ab535cb1c3522c1b268fa20273648eeea7738f31c31
-
SSDEEP
24576:0y94qWXvT1a8ZHMvQWGHTqe0Isa68GnWIDnYXDmk/5/ori8y0ckwfE6FKn:D94qWZdyKmeTBhGFBhEkmk
Static task
static1
Behavioral task
behavioral1
Sample
c3a76da20a70b7975d1e529997f37ac5.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
smokeloader
2022
http://5.42.92.190/fks/index.php
Extracted
redline
taiga
5.42.92.51:19057
Extracted
redline
pixelnew2.0
194.49.94.11:80
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
c3a76da20a70b7975d1e529997f37ac5.exe
-
Size
1.4MB
-
MD5
c3a76da20a70b7975d1e529997f37ac5
-
SHA1
1e43e343a437ee830027c6af30014de83403be96
-
SHA256
e2336251279843322a02ee9337cc650d5b14a6684fe40377c8fed6529a7e370c
-
SHA512
26dbd5431f631e3149f93b1385bcc2e29e3e573df9b6eebdf7363bd289ca5affee06bcd400315ad47cc32ab535cb1c3522c1b268fa20273648eeea7738f31c31
-
SSDEEP
24576:0y94qWXvT1a8ZHMvQWGHTqe0Isa68GnWIDnYXDmk/5/ori8y0ckwfE6FKn:D94qWZdyKmeTBhGFBhEkmk
-
Detect Mystic stealer payload
-
Detect ZGRat V1
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2