General
-
Target
3ab35ce7186e6dbda54259073b75bb61a37050f1b202ad859a02ee4a04a2da83
-
Size
159KB
-
Sample
240417-qjl87sae8v
-
MD5
7fed981dc50c69ccb57c821df3ef7c6e
-
SHA1
7479ad52493faa7883710f032bc104d8da73d6fc
-
SHA256
3ab35ce7186e6dbda54259073b75bb61a37050f1b202ad859a02ee4a04a2da83
-
SHA512
afa2f6eea1193a6aa71676fd4e86dfc39dc3bf8cac4704e01570d234f8972b80bfa7262d73c9029f9be2d459ade3a0794db45ab0e5ec5e680900f3cc8321fee3
-
SSDEEP
3072:NAbZvl8WisUN9ZyZQpr+HfDUbRS+izzS2ZDZmwcCwbKDRvmJU09hTfnW/Ykb:c8WiscqQgHf/++S2sCwWDRcpfWAkb
Static task
static1
Behavioral task
behavioral1
Sample
6610e3f433a1a54fff1dcb16ca8d08137481d19cd706d1cd73e75030be8ff720.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6610e3f433a1a54fff1dcb16ca8d08137481d19cd706d1cd73e75030be8ff720.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.50:33080
Extracted
lumma
https://greetclassifytalk.shop/api
https://entitlementappwo.shop/api
https://economicscreateojsu.shop/api
https://pushjellysingeywus.shop/api
https://absentconvicsjawun.shop/api
https://suitcaseacanehalk.shop/api
https://bordersoarmanusjuw.shop/api
https://mealplayerpreceodsju.shop/api
https://wifeplasterbakewis.shop/api
Targets
-
-
Target
6610e3f433a1a54fff1dcb16ca8d08137481d19cd706d1cd73e75030be8ff720.exe
-
Size
300KB
-
MD5
62e5fd85ce51c117efe2b5d7878666a5
-
SHA1
51abc31105ddf829ebae52360fd4ae18a45a9bd1
-
SHA256
6610e3f433a1a54fff1dcb16ca8d08137481d19cd706d1cd73e75030be8ff720
-
SHA512
5cb9f5d419643703093ee2e2db45d017307edd3adb881e5db646fa0e4ab7f98dc0fa1787a2c94e9f597442f65796a9b0d8838abb34dafa9fcdc3663e9a943d34
-
SSDEEP
3072:ZZ4GK2h1ohdN1S8HF2b+BMiXTHEOXSawHt+IbJEs6LePU3dxf/eDLD8M:Znhzsk8HF2bSj1aHlisQePUtReDMM
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Deletes itself
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1