General
-
Target
476257ebcbb7ecfa831e625b1d110d6b
-
Size
7.8MB
-
Sample
241109-gm1fka1rhl
-
MD5
476257ebcbb7ecfa831e625b1d110d6b
-
SHA1
0fe7b399f9acfaf448662eb500ba062ffd6e5b91
-
SHA256
f588626ae93f8d280520dc8a46009d01c68129006b6786641a458963af97b5bc
-
SHA512
83a4ed5e0faba1bf132d397ca1122d662e0951f714756c8da7c9c92e2c5f97a1af16d377ddf39a0c2d578f23d003f8ad5f1a689215dc8a88485f00d4df953a9c
-
SSDEEP
196608:JOk1nkZIuVQHasQWXYZ/Bw9AVHPeDZj2VPkRASLYnH1jyPrYVW:J/nkZ5VQ6DWX6cAVHPOpJRA/nVmT
Static task
static1
Behavioral task
behavioral1
Sample
476257ebcbb7ecfa831e625b1d110d6b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
476257ebcbb7ecfa831e625b1d110d6b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_installer.exe
Resource
win7-20240708-en
Malware Config
Extracted
smokeloader
pub3
Extracted
gcleaner
31.210.20.149
212.192.241.16
212.192.246.217
203.159.80.49
Extracted
redline
bernard05
141.95.211.151:34846
-
auth_value
0ca8e0ce5f601474792a9d04a56b69f8
Targets
-
-
Target
476257ebcbb7ecfa831e625b1d110d6b
-
Size
7.8MB
-
MD5
476257ebcbb7ecfa831e625b1d110d6b
-
SHA1
0fe7b399f9acfaf448662eb500ba062ffd6e5b91
-
SHA256
f588626ae93f8d280520dc8a46009d01c68129006b6786641a458963af97b5bc
-
SHA512
83a4ed5e0faba1bf132d397ca1122d662e0951f714756c8da7c9c92e2c5f97a1af16d377ddf39a0c2d578f23d003f8ad5f1a689215dc8a88485f00d4df953a9c
-
SSDEEP
196608:JOk1nkZIuVQHasQWXYZ/Bw9AVHPeDZj2VPkRASLYnH1jyPrYVW:J/nkZ5VQ6DWX6cAVHPOpJRA/nVmT
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Smokeloader family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
7.8MB
-
MD5
62c031e5a7ff452d122856ceb0fab07d
-
SHA1
d4ec184055acd1fa5cee0e9a0af478ce21c6921d
-
SHA256
e2ccabb2928b7d5f92e55cc60a4ed9e9e0c67349b393adf6eb8072980f5ebefa
-
SHA512
019cebfbf9bb36c1a57494332e724aac6d3e8afd35a76ed01ee337191c0faf46822f339db883340132ec4d433fee31afd315620c3d705f989b6d0d8750d5c67c
-
SSDEEP
196608:xoYSPl5z0o/SJsI5von1MTtZfXSjUrJvO3toM/6r:xoYAlB0oaayvwMTnSSJvOadr
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Smokeloader family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1