General
-
Target
bf0cbdb53bbd724bb231f0b6958edfc4.bin
-
Size
27KB
-
Sample
231230-cldg7ahbbk
-
MD5
8bd83476c655f8ada89f897f8f79b0ec
-
SHA1
5def638e5024ff0fb1010a1fde34e5199123232a
-
SHA256
e45058c32ef783db9ab46f512b31054c644bed2935bd9c0d875bd8908323820b
-
SHA512
3b94005a11140e090dbf8c46d6386abf4bb6bb78f979925b598dffda3ed43cd05e3ff652b14cd19b9fc114ca98085f8135f36d752d4ff2c4395b3dba873c420b
-
SSDEEP
768:DUyFGgGqf9w8L4eyhi8VoI45T3CmrOwIbJIc573U:DUTJIk4pV5miyywU
Behavioral task
behavioral1
Sample
41d04caed8474ba34136c1e831cd345086a4fd4259557ec16f9c4cc99fb603cb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
41d04caed8474ba34136c1e831cd345086a4fd4259557ec16f9c4cc99fb603cb.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
LiveTraffic
20.79.30.95:13856
Extracted
stealc
http://5.42.66.57
-
url_path
/3886d2276f6914c4.php
Targets
-
-
Target
41d04caed8474ba34136c1e831cd345086a4fd4259557ec16f9c4cc99fb603cb.exe
-
Size
38KB
-
MD5
bf0cbdb53bbd724bb231f0b6958edfc4
-
SHA1
d825f3d47987356477f6a1d916a0e34cb581ecc5
-
SHA256
41d04caed8474ba34136c1e831cd345086a4fd4259557ec16f9c4cc99fb603cb
-
SHA512
5073f5f04c954de70247254e1983939c330fa95f11e1d36f615f52a9649e77f8ffa93269ba19b7a734f4528ad5907b3e960414a54ee442dd1e1a70365af1358e
-
SSDEEP
768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3
-
Detect Lumma Stealer payload V4
-
Detect ZGRat V1
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-