General
-
Target
945e00ee877d6fd589c02c71e0786448bffd53ed2d473fee3ff3806551254a9e
-
Size
144KB
-
Sample
240417-r3297scf23
-
MD5
be819bac0f30f3cc8b7f268d9997f608
-
SHA1
61751b26855ac15d727d437c3b0f157e1a7a03d7
-
SHA256
945e00ee877d6fd589c02c71e0786448bffd53ed2d473fee3ff3806551254a9e
-
SHA512
d3a602fbb90476f9add5baff35b513458ad6d65ffb5ff491e14a49ed84309d992f641b47f5713f6a6647cfd88ee824f3d64778ae30c4bd0728b41425e5a85bde
-
SSDEEP
3072:jNZEyxGLmUL3+qv+LJet3YpYJVUGaVbVll9U2AU31skWaXuHx:jNKyxGSUL3mLJW4imG+9U2bWaXuR
Static task
static1
Behavioral task
behavioral1
Sample
0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.50:33080
Extracted
lumma
https://greetclassifytalk.shop/api
https://entitlementappwo.shop/api
https://economicscreateojsu.shop/api
https://pushjellysingeywus.shop/api
https://absentconvicsjawun.shop/api
https://suitcaseacanehalk.shop/api
https://bordersoarmanusjuw.shop/api
https://mealplayerpreceodsju.shop/api
https://wifeplasterbakewis.shop/api
Targets
-
-
Target
0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe
-
Size
231KB
-
MD5
3ab03116a1d5dea017a632acfe5d56fb
-
SHA1
d38ba4572555498c08a9c3e7e1826cf337c318e9
-
SHA256
0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03
-
SHA512
c8c3c7145d01b4c2c94451c964e7bdf1344520be45ceaeea166e9a4ff1b3b18db41ca29ea9680aca92b08da895e1ee377e14684b1eb6748a6097c7d26d12d139
-
SSDEEP
3072:1nf/yLH4vqqRFbyoa1dWbWGWIpe3G5kZiVSHloV552I4:1f/yLYJFbyorbWGxpP5kZoz4
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Deletes itself
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1