General
-
Target
5399323c2fc071c9d2045b04e6ded1e7742544765e73c424c6d67b7eab1010aa
-
Size
159KB
-
Sample
211130-tay37aaeg4
-
MD5
5f29dc4150c047fc21e69c9763dcc304
-
SHA1
c4ac1c8029f60736b818a6f80078751b3b640e30
-
SHA256
5399323c2fc071c9d2045b04e6ded1e7742544765e73c424c6d67b7eab1010aa
-
SHA512
87b018fc58dae08329bd59976036dad6c03eed2a69ea62a7de7bd7fc308792919bdea48a185fe2f0ed424f330256d4736b1a086b7ca6d4f18d655d5de04f8bc6
Static task
static1
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Extracted
redline
92.255.76.197:38637
Extracted
amadey
2.85
185.215.113.35/d2VxjasuwS/index.php
Extracted
icedid
2904573523
placingapie.ink
Targets
-
-
Target
5399323c2fc071c9d2045b04e6ded1e7742544765e73c424c6d67b7eab1010aa
-
Size
159KB
-
MD5
5f29dc4150c047fc21e69c9763dcc304
-
SHA1
c4ac1c8029f60736b818a6f80078751b3b640e30
-
SHA256
5399323c2fc071c9d2045b04e6ded1e7742544765e73c424c6d67b7eab1010aa
-
SHA512
87b018fc58dae08329bd59976036dad6c03eed2a69ea62a7de7bd7fc308792919bdea48a185fe2f0ed424f330256d4736b1a086b7ca6d4f18d655d5de04f8bc6
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Arkei Stealer Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-