General
-
Target
1b8d56c6a20147aaadcb509c81aa365a.exe
-
Size
6.1MB
-
Sample
231219-g663fsggd3
-
MD5
1b8d56c6a20147aaadcb509c81aa365a
-
SHA1
77a59d4188c9b0162633fcb116edb9a11382bfa3
-
SHA256
075cf62d5396be3fb4fd724dab0aaf182a09f88f8f5b59a28dc956252fe0294d
-
SHA512
6b49321e9cae28580afed0adaea91d42eaed7b16f9d31e1cd11e7d89f58216015a352021d7e910bc198278538944f4586bb9f0044c97e05822472d9277d2e603
-
SSDEEP
196608:VkgjMmBaakMluFeNQIAGFlKpI4/oAob+Vw2:qmAmZQ3CKHozbn2
Static task
static1
Behavioral task
behavioral1
Sample
1b8d56c6a20147aaadcb509c81aa365a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1b8d56c6a20147aaadcb509c81aa365a.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
redline
666
195.20.16.103:18305
Extracted
redline
LiveTraffic
77.105.132.87:17066
Targets
-
-
Target
1b8d56c6a20147aaadcb509c81aa365a.exe
-
Size
6.1MB
-
MD5
1b8d56c6a20147aaadcb509c81aa365a
-
SHA1
77a59d4188c9b0162633fcb116edb9a11382bfa3
-
SHA256
075cf62d5396be3fb4fd724dab0aaf182a09f88f8f5b59a28dc956252fe0294d
-
SHA512
6b49321e9cae28580afed0adaea91d42eaed7b16f9d31e1cd11e7d89f58216015a352021d7e910bc198278538944f4586bb9f0044c97e05822472d9277d2e603
-
SSDEEP
196608:VkgjMmBaakMluFeNQIAGFlKpI4/oAob+Vw2:qmAmZQ3CKHozbn2
-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1