General
-
Target
1905ad8d3e218e39d45ce88778dd7a141a93ec18ebd3944871847498730c6a5e
-
Size
162KB
-
Sample
240417-qc774aab6x
-
MD5
fab24922fc94f75c898e8d4b23b1022b
-
SHA1
7b28c3d4501338c510f6dd5ebfbc1df2a6c913ab
-
SHA256
1905ad8d3e218e39d45ce88778dd7a141a93ec18ebd3944871847498730c6a5e
-
SHA512
2398954b46c2cb769cc985f502b9c3874e0ee5714c228b3c0afb1a31e3460067751e317d6f70f5c85063b2156f6397b2dba61d1344a10d4715eb1676359e1415
-
SSDEEP
3072:wx4NjDrgHlY0V4TdM6MP5IE85OXE13qBeDZGm67pmjdfDT3lt1oJn8CF1I5:w6NjDEBp6NzqeZGLAdfXVt1OnNK
Static task
static1
Behavioral task
behavioral1
Sample
abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.50:33080
Extracted
lumma
https://greetclassifytalk.shop/api
https://entitlementappwo.shop/api
https://economicscreateojsu.shop/api
https://pushjellysingeywus.shop/api
https://absentconvicsjawun.shop/api
https://suitcaseacanehalk.shop/api
https://bordersoarmanusjuw.shop/api
https://mealplayerpreceodsju.shop/api
https://wifeplasterbakewis.shop/api
Targets
-
-
Target
abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe
-
Size
313KB
-
MD5
49c1a7094df766b5e5868811f298b529
-
SHA1
c48fc045b5ee06e02d558f3c3551a463199725b9
-
SHA256
abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976
-
SHA512
c34cf47f715fffb4c4b9ec4ba587ea0c455d3baf7192408114b9f7260dbb1ee6b28c794157cfdd12c6048e99e9140220d77232bd9355cb96db7df9e566ba9490
-
SSDEEP
3072:9gw3B7c4wkQMR+BYYeEX+qP4XTkedBoRv0XgGlf+N9XF6kVQvVYKAG:zxd/RmFMkeAv0ltKXF6k2NvJ
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Deletes itself
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1