General
-
Target
9a2073e7fd9e73b17ab239c32ea2c2852c9d958abf3a7501cbca8ac4b03e188c
-
Size
107KB
-
Sample
240417-qh82ksha39
-
MD5
d1b1025866b6487e5dc946427f8addfa
-
SHA1
245d66172edd4c0f1717735486e5c5693e480fe3
-
SHA256
9a2073e7fd9e73b17ab239c32ea2c2852c9d958abf3a7501cbca8ac4b03e188c
-
SHA512
c7dac2e26a43066e0f5ddd5d9aa5ad48912eb448c5e6223db00c492af4749b4b8f5b951c01bf2c61bb4d272470488b97d331f749af83c701e16f12980b80a3b1
-
SSDEEP
3072:7ldz4JW6PG9G+yACSizY0JD8ShbeRz40Jx/C96WEwdq:zN9lQFdDfhbeR7a9nE1
Static task
static1
Behavioral task
behavioral1
Sample
2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.50:33080
Extracted
lumma
https://greetclassifytalk.shop/api
https://entitlementappwo.shop/api
https://economicscreateojsu.shop/api
https://pushjellysingeywus.shop/api
https://absentconvicsjawun.shop/api
https://suitcaseacanehalk.shop/api
https://bordersoarmanusjuw.shop/api
https://mealplayerpreceodsju.shop/api
https://wifeplasterbakewis.shop/api
Targets
-
-
Target
2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe
-
Size
186KB
-
MD5
0343235b3014134cd1f9c4f8f14bf327
-
SHA1
7df22fd8a194031121a4e4eba53d98c1a7f55bb8
-
SHA256
2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b
-
SHA512
1cefcccde826acf72f57d4a66f2cc22132773259aad246778a1fad3f059ec978a0d83b65eb3b447793d76629e0e20b6c4320d28ba42cf5c8acd70b102e3a7571
-
SSDEEP
3072:0vHATbTxwuWJy949xuZsG/t7GJ9JA4UJykW/JqZvoh:wYbTGuWC4HAVGJ98
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Deletes itself
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1