General
-
Target
c0061cc9028a73844f3121fe399ad621.bin
-
Size
948KB
-
Sample
231220-d4l3qaachn
-
MD5
7a5b0d72ee7b01466364bb74c9396214
-
SHA1
a71e65c849bff46bc188088308d3c34f03eea8a8
-
SHA256
da8202138db119c47fe43c93c5b918ab2505ed5360dbe1c654713ad17e81c8e8
-
SHA512
8b75a840134742ac2d2374af7f746b4dce06bc6bb6b8579e93480233f166df55b7ad34f6cf7b6d8c00ca1f5b9356de3a4f289895b692ad12034a5dbfae55d772
-
SSDEEP
24576:NLZ4bDKADMLaSA0fuB+AfBpwf22LF2TQxxoHA:JZ4/KAQuSZfucA5pwf2tTQxxwA
Static task
static1
Behavioral task
behavioral1
Sample
f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
redline
@oleh_ps
176.123.7.190:32927
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
stealc
http://77.91.76.36
-
url_path
/3886d2276f6914c4.php
Extracted
redline
@ytlogsbot
176.123.7.190:32927
Extracted
redline
LiveTraffic
77.105.132.87:17066
Targets
-
-
Target
f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0.exe
-
Size
992KB
-
MD5
c0061cc9028a73844f3121fe399ad621
-
SHA1
8ffa300ebca3ad064d99b590956be68703b8dcc9
-
SHA256
f782933fb6a551cd97aabaf041ce9521694203199fe8a62efdfdd9dda00548e0
-
SHA512
fec12b2ea21fbcc7fb5a16759b04037754d628d06b61287dc08813a7241cad8e7565e1aa775b79b5c5e7877ba520fa65326514288685429b7c00add734cf1622
-
SSDEEP
12288:JMrGy90p8E2wB06puJG1TP/XtLgM0VCND/4BW9whUI/l+22w2Z4pTqUt/ZacIa9s:DyU92wAJuLDd/4k9X29yZCT4cz2mur
-
Detect ZGRat V1
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3