General
-
Target
800530878e98abcca258c08a58304dedeed1f5fe3e792b7bef8c6586b61084f6
-
Size
93KB
-
Sample
240417-rfq9esbb58
-
MD5
4451591082f63b560252133d2ada62a0
-
SHA1
8bc3100c76bf738490798bb03b4d3ef184ed1152
-
SHA256
800530878e98abcca258c08a58304dedeed1f5fe3e792b7bef8c6586b61084f6
-
SHA512
ebdcfe48e35e20c9e0342972142f9e4831777f66dd3e73f121729a5ef673452079cf31eb8eccc25d860220af30723e4f700a775a65e49a0bf48a9f0a4242fa4b
-
SSDEEP
1536:OtKRHtJJt5HCQr5fff1tgwfOjBlqy38+c71YEP/xsgybdnxwL4MT5Z:OtKlnwQrdfOdsy38LSY/xsgybd2B5Z
Static task
static1
Behavioral task
behavioral1
Sample
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.50:33080
Extracted
lumma
https://greetclassifytalk.shop/api
https://entitlementappwo.shop/api
https://economicscreateojsu.shop/api
https://pushjellysingeywus.shop/api
https://absentconvicsjawun.shop/api
https://suitcaseacanehalk.shop/api
https://bordersoarmanusjuw.shop/api
https://mealplayerpreceodsju.shop/api
https://wifeplasterbakewis.shop/api
Targets
-
-
Target
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
-
Size
161KB
-
MD5
fb8ddd837ad8b94f1faf0b4920ce7b2b
-
SHA1
c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b
-
SHA256
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee
-
SHA512
db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74
-
SSDEEP
1536:IwYZ5gZyjech8y/nK/bobGPgeMWKQxljH3PBe/8YkfbM9Wzw1mE3SmJQENYmAzTa:YiZpyDz/WVPX/9CWz9xmJQMYmAzsX
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Deletes itself
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1