General
-
Target
c08eee0129f5e63f5226ff413a14a442cd931290cfcac55e2192a704eff63562
-
Size
288KB
-
Sample
231125-2vgcwadd54
-
MD5
0e609e4681b1b5244aed42409f22d19c
-
SHA1
9b0627a36900165af87270a52c6eb07d30e9fa43
-
SHA256
c08eee0129f5e63f5226ff413a14a442cd931290cfcac55e2192a704eff63562
-
SHA512
bb05373ab0eff4ec160aae10433a80ce9ee176ec9f55063f96d1bca73ae14429bd19960e8fc9d520ae144f2ec6f6ec7c9b95b8e185c228c1415c379bc4db0196
-
SSDEEP
3072:vi7VODdV86tS0hqvA7DxTesY6qgN/1IrfZ0eGV0FrQ5mg/zqX5kVyBk3eFx/RiPB:KpOBVHtS0hqvA7Dxa9pgN/2rO4n6Q+
Static task
static1
Behavioral task
behavioral1
Sample
c08eee0129f5e63f5226ff413a14a442cd931290cfcac55e2192a704eff63562.exe
Resource
win10-20231023-en
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
Extracted
redline
LogsDiller Cloud (Bot: @logsdillabot)
194.49.94.181:40264
Extracted
amadey
4.12
http://185.172.128.19
-
install_dir
cd1f156d67
-
install_file
Utsysc.exe
-
strings_key
0dd3e5ee91b367c60c9e575983554b30
-
url_paths
/ghsdh39s/index.php
Targets
-
-
Target
c08eee0129f5e63f5226ff413a14a442cd931290cfcac55e2192a704eff63562
-
Size
288KB
-
MD5
0e609e4681b1b5244aed42409f22d19c
-
SHA1
9b0627a36900165af87270a52c6eb07d30e9fa43
-
SHA256
c08eee0129f5e63f5226ff413a14a442cd931290cfcac55e2192a704eff63562
-
SHA512
bb05373ab0eff4ec160aae10433a80ce9ee176ec9f55063f96d1bca73ae14429bd19960e8fc9d520ae144f2ec6f6ec7c9b95b8e185c228c1415c379bc4db0196
-
SSDEEP
3072:vi7VODdV86tS0hqvA7DxTesY6qgN/1IrfZ0eGV0FrQ5mg/zqX5kVyBk3eFx/RiPB:KpOBVHtS0hqvA7Dxa9pgN/2rO4n6Q+
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-