General
-
Target
3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b
-
Size
265KB
-
Sample
240430-vjdpaabb7s
-
MD5
3e9673f5a67c18e97c82e072aaa06c5c
-
SHA1
9b1cd5ab1af8fecb5e3bc898dc5a39874ef70a30
-
SHA256
3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b
-
SHA512
62054f8edf91221d3dc7b04af6b6782d7f539ee41a608f480bc66d2f2a97ca9168afb7a43ce070117a894228e58791dea894d48c64b7e2cfb41b81ac02855169
-
SSDEEP
3072:jNHXwDrphiD1+++jK+gT0xZD0VeqRNDCYtvUBb2Jb/3KTUIIufnaCCph99nKgVwn:+nGZ++0gTU4xdCYtvjJWT1IUnE399b
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.96:28380
Targets
-
-
Target
3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b
-
Size
265KB
-
MD5
3e9673f5a67c18e97c82e072aaa06c5c
-
SHA1
9b1cd5ab1af8fecb5e3bc898dc5a39874ef70a30
-
SHA256
3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b
-
SHA512
62054f8edf91221d3dc7b04af6b6782d7f539ee41a608f480bc66d2f2a97ca9168afb7a43ce070117a894228e58791dea894d48c64b7e2cfb41b81ac02855169
-
SSDEEP
3072:jNHXwDrphiD1+++jK+gT0xZD0VeqRNDCYtvUBb2Jb/3KTUIIufnaCCph99nKgVwn:+nGZ++0gTU4xdCYtvjJWT1IUnE399b
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1