General
-
Target
f3b0179ba1f2f60ea88c4f14c4e7a829.bin
-
Size
2.4MB
-
Sample
231230-cvyvgsbedr
-
MD5
fe15867e6a3c6a4391c4c49129806ba5
-
SHA1
849e89db4dbe6f2c7ae8627467c3dc95ac6f9514
-
SHA256
a7f088a1cd622d248cd2904ba001c8d5eb9ee90db7fe6d043414bd513a6b0275
-
SHA512
9abb6f9225f333800bbb3186e0ab65fb946ae7fe635593aaa4012c4beaa58db7f8a5eb903a669aa4821699bf83d5774148739bd7c76813cd787487c6aaa0709e
-
SSDEEP
49152:SCkrvSQjhIE/hL5HT4JwTUNjsBC8uOr69eaytSlfhXEZXcVlbeZyDoys5I:WbSAhPFTymDGevafhIc373sC
Static task
static1
Behavioral task
behavioral1
Sample
b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
Resource
win10v2004-20231222-en
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
smokeloader
up3
Extracted
redline
LiveTraffic
20.79.30.95:13856
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
777
195.20.16.103:20440
Extracted
stealc
http://5.42.66.57
-
url_path
/3886d2276f6914c4.php
Targets
-
-
Target
b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
-
Size
2.5MB
-
MD5
f3b0179ba1f2f60ea88c4f14c4e7a829
-
SHA1
cada0b63415bfdafac480da21742d673a6f1d359
-
SHA256
b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
-
SHA512
fd4f6e6eec6e565435c7fd7d6e5f79d7f59cca0e9ef068f370c65b270d5d4fa034b0990ecb8fb4427ee58ff5048b88130c2b80002e7d63a15c0b4aec2d342303
-
SSDEEP
49152:VkJD9VUS2v2/czNA6XgbuzDUyjYFb1nbuZvaMba5A7e0JSkJsGdLtFprqRbFFjfr:y9ESLEzNA6XAycRpuwiPBOGdZGxFFrJh
-
Detect Lumma Stealer payload V4
-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1