General
-
Target
72fb4b278b6a9927a7d8a7801e5bb672.bin
-
Size
2.0MB
-
Sample
231228-b32qnsbga2
-
MD5
0affad01c7b7e3448debf05d11202d5b
-
SHA1
9b586adefd6c16874c1bc1cae88da85b882b7b57
-
SHA256
861bc492e059dd01b309812ef24197e64ce23c32dcb09af887cffab4399bde1c
-
SHA512
0757bd503edbf4461d1268cbb6f51f2c104a4188d07b7cd47b72d27b155c9bd2e525e3408913dc71cdcb5dc6666d0a41ff8546bc8ebe53de8446bdaba93139ad
-
SSDEEP
49152:zIx4ghx9nr3A3JmYHg65haG3VTj3I2+2n5oC:64ghxdIgehaGlf3Jn5oC
Static task
static1
Behavioral task
behavioral1
Sample
7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
smokeloader
up3
Extracted
stealc
http://5.42.66.58
-
url_path
/3886d2276f6914c4.php
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
777
195.20.16.103:20440
Targets
-
-
Target
7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
-
Size
2.0MB
-
MD5
72fb4b278b6a9927a7d8a7801e5bb672
-
SHA1
7c27b347c171974bc21697165177c93717b8fc30
-
SHA256
7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59
-
SHA512
49c752c3773b998e7ecce4d2acbcfe769c0e6ae0b2661e99085614982a840ad15c682344c4554478bfe6f9ed6fa9e5dc7d8cfd122db6e69b7ecd6de1398adf38
-
SSDEEP
49152:qL8Zj+zbbJ+ejFvwvHw+SKZDH/CQesuengxRztOQxHAfS:rj+n1+e2o9WCkNnYFtOQxH8
-
Detect Lumma Stealer payload V4
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1