General
-
Target
e7d2e3ef308b65887cfe3fc9012c012a.bin
-
Size
2.4MB
-
Sample
240101-cszc8scff6
-
MD5
f1adeafd33a76da29c58185d71c1afaf
-
SHA1
d40d1c94d3c370ad54e3b0ba6c1454abda6d01f8
-
SHA256
79d4128136a7e40b9ea839b1ddd1576bc3d46f97c88968591a0dbcdd0f51408b
-
SHA512
04777afac9332264b7d1a206aa037bf8d2b364392ccd85404d1baaa46d1418e45fc758e76e9888aa49445888348ca2342adeb0171fe263d6dd0d41fd2c639406
-
SSDEEP
49152:mpCDuVjw/UddtOuDljSN1Nnt8RUaSyVIwgFEm87fQWgOIG:Dcc/ILQ1NntwU98UF6oWgOIG
Static task
static1
Behavioral task
behavioral1
Sample
53bda5daab1582c7b7ca077deb0b3f3bbf3a4611fe92d136ceecab70eaa64d9a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
53bda5daab1582c7b7ca077deb0b3f3bbf3a4611fe92d136ceecab70eaa64d9a.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
smokeloader
up3
Extracted
redline
LiveTrafic
20.79.30.95:13856
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
777
195.20.16.103:20440
Extracted
lumma
http://soupinterestoe.fun/api
Targets
-
-
Target
53bda5daab1582c7b7ca077deb0b3f3bbf3a4611fe92d136ceecab70eaa64d9a.exe
-
Size
2.5MB
-
MD5
e7d2e3ef308b65887cfe3fc9012c012a
-
SHA1
1aab721e4a346677b97f069dcf40d21490deb5f5
-
SHA256
53bda5daab1582c7b7ca077deb0b3f3bbf3a4611fe92d136ceecab70eaa64d9a
-
SHA512
89ec30bdb2846668391ecd1d0e206e999ac7ab88c70374bdf2b0305cf117a6dc158f029c982dd2012702f6f49c8a320e48180b44b57edfd62f85b1025b750899
-
SSDEEP
49152:i/JOpJYNxT2b2Dd87gp3HQTBDfocvOx7C8yA9GcPmxneb5Mf:IIp0TpB87gp3wTeMpJi9keb5o
-
Detect Lumma Stealer payload V4
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1