General
-
Target
1c44852292cf03e534ef8c2914b22436
-
Size
4.4MB
-
Sample
231230-zpyc4aada6
-
MD5
1c44852292cf03e534ef8c2914b22436
-
SHA1
39e0966477f02eadd10e35709d52567e9825f533
-
SHA256
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
-
SHA512
7b37e8101bc2f6047f69b3283d6aa2f1344a3641b378f03c8b699fe45df742fde8f608204898e810118e47076374b8d9d51e28df71bdf8e530bd39757a906498
-
SSDEEP
98304:yUD14snMnUPEEjVhI2DWARNpBJsWqqOog664sGwjf:yUD6snYUM2VFycNDmBGwj
Static task
static1
Behavioral task
behavioral1
Sample
1c44852292cf03e534ef8c2914b22436.exe
Resource
win7-20231129-en
Malware Config
Extracted
redline
Build1
45.142.213.135:30058
Extracted
nullmixer
http://znegs.xyz/
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
smokeloader
pub6
Extracted
vidar
39.9
706
https://prophefliloc.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Targets
-
-
Target
1c44852292cf03e534ef8c2914b22436
-
Size
4.4MB
-
MD5
1c44852292cf03e534ef8c2914b22436
-
SHA1
39e0966477f02eadd10e35709d52567e9825f533
-
SHA256
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
-
SHA512
7b37e8101bc2f6047f69b3283d6aa2f1344a3641b378f03c8b699fe45df742fde8f608204898e810118e47076374b8d9d51e28df71bdf8e530bd39757a906498
-
SSDEEP
98304:yUD14snMnUPEEjVhI2DWARNpBJsWqqOog664sGwjf:yUD6snYUM2VFycNDmBGwj
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Socelars payload
-
Vidar Stealer
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Impair Defenses
1Disable or Modify Tools
1Subvert Trust Controls
1Install Root Certificate
1