General
-
Target
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
-
Size
6.2MB
-
Sample
240201-tqnx6ahec8
-
MD5
2f3c9be60064deb5a63a27f1c4e50cc0
-
SHA1
32e3dd4cfc7dc41072c9eee17c6bf2e1553802a4
-
SHA256
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
-
SHA512
6ccb95bdd98c765656e112fee20c88e7eeb745d82361c1ae5e1fa56a17e556e1be198058a3b99e5d43cd330f96fa3b5ac6da53d7b62f25dcfea26f4503dff61a
-
SSDEEP
98304:lF8zNNrIkyFXuqSqYJebYimqjeL5UnG/xDrMBjrM9DVncLlw5gTeV0kJ7Hi:lF8IwvJeb5mHFt5m8a2EvM
Static task
static1
Behavioral task
behavioral1
Sample
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
redline
LiveTraffic
20.79.30.95:13856
Extracted
redline
Legaa
185.172.128.33:38294
Targets
-
-
Target
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
-
Size
6.2MB
-
MD5
2f3c9be60064deb5a63a27f1c4e50cc0
-
SHA1
32e3dd4cfc7dc41072c9eee17c6bf2e1553802a4
-
SHA256
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
-
SHA512
6ccb95bdd98c765656e112fee20c88e7eeb745d82361c1ae5e1fa56a17e556e1be198058a3b99e5d43cd330f96fa3b5ac6da53d7b62f25dcfea26f4503dff61a
-
SSDEEP
98304:lF8zNNrIkyFXuqSqYJebYimqjeL5UnG/xDrMBjrM9DVncLlw5gTeV0kJ7Hi:lF8IwvJeb5mHFt5m8a2EvM
-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
5Impair Defenses
2Disable or Modify Tools
2Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1