General
-
Target
49f65e66b00f5178744bb3e3c1f7572aad43485fbbf6b4a3f729e58bf86c8d74
-
Size
288KB
-
Sample
231125-zarxrsda5y
-
MD5
c04ee29cc098afc72469c1bd01b06dd4
-
SHA1
31dfc31f70793781e024251f5692b0f31cf96910
-
SHA256
49f65e66b00f5178744bb3e3c1f7572aad43485fbbf6b4a3f729e58bf86c8d74
-
SHA512
6ce5e9586fcf6c665305be1044703167a7f25e6450c95a013aa12d9a0c2a82cee4ce9bbf087b5b3db49139237bb030958326a8741746cb870f0f344e09c2ce66
-
SSDEEP
3072:FIy+dIrLEj2qPpwqRY29MX6Xn/xQ5mg1/4r/E5kVyBk3eFx/RiPB:a5dALEjV1MXYBk/YQ+
Static task
static1
Behavioral task
behavioral1
Sample
49f65e66b00f5178744bb3e3c1f7572aad43485fbbf6b4a3f729e58bf86c8d74.exe
Resource
win10-20231023-en
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
Extracted
redline
LogsDiller Cloud (Bot: @logsdillabot)
194.49.94.181:40264
Extracted
amadey
4.12
http://185.172.128.19
-
install_dir
cd1f156d67
-
install_file
Utsysc.exe
-
strings_key
0dd3e5ee91b367c60c9e575983554b30
-
url_paths
/ghsdh39s/index.php
Targets
-
-
Target
49f65e66b00f5178744bb3e3c1f7572aad43485fbbf6b4a3f729e58bf86c8d74
-
Size
288KB
-
MD5
c04ee29cc098afc72469c1bd01b06dd4
-
SHA1
31dfc31f70793781e024251f5692b0f31cf96910
-
SHA256
49f65e66b00f5178744bb3e3c1f7572aad43485fbbf6b4a3f729e58bf86c8d74
-
SHA512
6ce5e9586fcf6c665305be1044703167a7f25e6450c95a013aa12d9a0c2a82cee4ce9bbf087b5b3db49139237bb030958326a8741746cb870f0f344e09c2ce66
-
SSDEEP
3072:FIy+dIrLEj2qPpwqRY29MX6Xn/xQ5mg1/4r/E5kVyBk3eFx/RiPB:a5dALEjV1MXYBk/YQ+
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-