General
-
Target
2f3c9be60064deb5a63a27f1c4e50cc0.exe
-
Size
6.2MB
-
Sample
240104-rv44tscfe3
-
MD5
2f3c9be60064deb5a63a27f1c4e50cc0
-
SHA1
32e3dd4cfc7dc41072c9eee17c6bf2e1553802a4
-
SHA256
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
-
SHA512
6ccb95bdd98c765656e112fee20c88e7eeb745d82361c1ae5e1fa56a17e556e1be198058a3b99e5d43cd330f96fa3b5ac6da53d7b62f25dcfea26f4503dff61a
-
SSDEEP
98304:lF8zNNrIkyFXuqSqYJebYimqjeL5UnG/xDrMBjrM9DVncLlw5gTeV0kJ7Hi:lF8IwvJeb5mHFt5m8a2EvM
Static task
static1
Behavioral task
behavioral1
Sample
2f3c9be60064deb5a63a27f1c4e50cc0.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2f3c9be60064deb5a63a27f1c4e50cc0.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
redline
777
195.20.16.103:20440
Targets
-
-
Target
2f3c9be60064deb5a63a27f1c4e50cc0.exe
-
Size
6.2MB
-
MD5
2f3c9be60064deb5a63a27f1c4e50cc0
-
SHA1
32e3dd4cfc7dc41072c9eee17c6bf2e1553802a4
-
SHA256
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
-
SHA512
6ccb95bdd98c765656e112fee20c88e7eeb745d82361c1ae5e1fa56a17e556e1be198058a3b99e5d43cd330f96fa3b5ac6da53d7b62f25dcfea26f4503dff61a
-
SSDEEP
98304:lF8zNNrIkyFXuqSqYJebYimqjeL5UnG/xDrMBjrM9DVncLlw5gTeV0kJ7Hi:lF8IwvJeb5mHFt5m8a2EvM
-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1