General
-
Target
BLOXFLIP-Predictor-main.zip
-
Size
123KB
-
Sample
220903-jpsvlsecd9
-
MD5
28c28161403630ca68d42a4af4c29480
-
SHA1
82ff950edad08f33a9b79dd85016432850ce9d5b
-
SHA256
ec9841cb538722c15ef2900a750f8cc9a50f2b26d35078819117e180c1926e78
-
SHA512
152403206ede6dbaeb444c771336c857657d9988f1bca3264817598ca6e427892830021ed99ce85858c5426902b4ea133c9f2bb9e514ce4687922cc8209204ab
-
SSDEEP
3072:7NuWTMAD9YKMDYnVsYQpoJNSrOdvxQBdELM:7NuK90kV0moOq9
Static task
static1
Behavioral task
behavioral1
Sample
BLOXFLIP-Predictor-main/BloxPredictor.bat
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
BLOXFLIP-Predictor-main/DiscordHookSender.dll
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
BLOXFLIP-Predictor-main/README.md
Resource
win10-20220901-en
Malware Config
Extracted
redline
Dv
195.3.223.79:65252
Targets
-
-
Target
BLOXFLIP-Predictor-main/BloxPredictor.bat
-
Size
24KB
-
MD5
2ce736935920d83e5d55570739ca8c17
-
SHA1
9aab2f25403a0fe6921c152f61ed3d2ceacfad49
-
SHA256
001c531b29372d4f6c7697ac00a575773470d23c8681d1d5930aa1e4cd860b76
-
SHA512
c58589dbcf5a23ca2cd9284733db20659b81850a33bc6eddf6379507fb7307a569019373168665fee93c02d42bdd3ee3c42377db7e16405e32f6e7554d8a3de0
-
SSDEEP
768:lsh2CrG0Qz6Ee7Z+x4a7eE8xRrQAh+WVqMJzO:BCrGrGE7x4a7eDfrQAh+SJzO
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
BLOXFLIP-Predictor-main/DiscordHookSender.dll
-
Size
232KB
-
MD5
267a1dbc11b46409246492103e61f6cf
-
SHA1
0bfdcec52aa12159c3d7f8031f9d18d0e067766b
-
SHA256
f97600ec337e617940502efcfce7ff0fe4bfabee00f4726d43716fa5ecd0ec71
-
SHA512
2224c1ba1dfd193b0111deef4b793566945ae7709057cc2748564271a43ec870a0e4ea1619cdf411aec6d876c11463e995ce1efd406ff8cfda5b53e5026ad266
-
SSDEEP
3072:vJ/QKDUjSmd+Cr98BGtdV0F9UmFuT2sBLmTf0QZSkJqsDloKgfIiwVxxOrpoiKyW:vJnU2MWsVmFuT2cLkf0QZSUUufCFmWk
Score1/10 -
-
-
Target
BLOXFLIP-Predictor-main/README.md
-
Size
1KB
-
MD5
72b7350921fe5f31a779a24e9429ae8d
-
SHA1
8cf1e3334cfe74c1ad910b9280c95cbeb1724ada
-
SHA256
499dfd70a837fcf2d91f32a1854e0faac24ad5810f1633f4fe2191e9337a2ba1
-
SHA512
d3afa91a7b4dc8251d1a12cfb80fe5fdec210a2f7c0b4673d6354cc595b636d5857664ec334b86aa27ac8c60aa256fbb1f84a9be96e75a08fabe3ed9a498f251
Score3/10 -