General
-
Target
0x000600000001ab8d-53.dat
-
Size
38KB
-
Sample
231129-r6jbhahb41
-
MD5
0de1c7e6a5ee4c1898c5a8a7f411ee71
-
SHA1
0e9ba521613825b18d307a17f80e80f6c8dbca6c
-
SHA256
a002e5aeea1f935eeda8a50ee6f18a5cef58c0961fe504315a1554d90c64e349
-
SHA512
4a2f2c49967a99a75afe1147cc54879ae9db90f6cc53ffdafb1dcf21a3b19d42baf881834cccd9894aaf66d0a51c0a7a048ec1c37c3602a8541a9e79278a4da7
-
SSDEEP
768:f8FhylJE+hwr5hN7F0I0bQyvUgq65DQVi:f8qlJEQwrDNuIyvD5sV
Behavioral task
behavioral1
Sample
0x000600000001ab8d-53.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
0x000600000001ab8d-53.exe
Resource
win10v2004-20231127-en
Malware Config
Extracted
smokeloader
2022
http://194.49.94.210/fks/index.php
Extracted
redline
@ytlogsbot
194.169.175.235:42691
Extracted
redline
LiveTraffic
195.10.205.16:2245
Extracted
smokeloader
up3
Targets
-
-
Target
0x000600000001ab8d-53.dat
-
Size
38KB
-
MD5
0de1c7e6a5ee4c1898c5a8a7f411ee71
-
SHA1
0e9ba521613825b18d307a17f80e80f6c8dbca6c
-
SHA256
a002e5aeea1f935eeda8a50ee6f18a5cef58c0961fe504315a1554d90c64e349
-
SHA512
4a2f2c49967a99a75afe1147cc54879ae9db90f6cc53ffdafb1dcf21a3b19d42baf881834cccd9894aaf66d0a51c0a7a048ec1c37c3602a8541a9e79278a4da7
-
SSDEEP
768:f8FhylJE+hwr5hN7F0I0bQyvUgq65DQVi:f8qlJEQwrDNuIyvD5sV
-
Detect Lumma Stealer payload V2
-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1