General
-
Target
2adc62e232f429359cc1c348997cabd7188cbe1cafe3b88d2734167e01a54e1b
-
Size
130KB
-
Sample
220926-zg7lssbhh7
-
MD5
a1f3805a56f9d5b37f28dcf2f029d26a
-
SHA1
6324484d0d840579e67bc143350211e391dd492b
-
SHA256
2adc62e232f429359cc1c348997cabd7188cbe1cafe3b88d2734167e01a54e1b
-
SHA512
54340a74e83ff7b113cf1b5a81fa564787d68e3bd081fcdb034f77719b0fcf26178c53d47a7f6ca39842f6573919fcc218b05cbc868917a5b66ce5c82308a776
-
SSDEEP
3072:8rLWT55IpoDoOyePCnKaOWR+EP2YxYIUSSXDKi5B:SpoMOy2CKN9u2YbAXDK
Static task
static1
Malware Config
Extracted
danabot
198.15.112.179:443
185.62.56.245:443
153.92.223.225:443
192.119.70.159:443
-
embedded_hash
6618C163D57D6441FCCA65D86C4D380D
-
type
loader
Extracted
redline
insmix
jamesmillion2.xyz:9420
-
auth_value
f388a05524f756108c9e4b0f4c4bafb6
Extracted
redline
KOI_FIX
gang-bang.online:14444
splinterleands.com:14444
-
auth_value
d7e70f943e12617abdc907834033a02c
Targets
-
-
Target
2adc62e232f429359cc1c348997cabd7188cbe1cafe3b88d2734167e01a54e1b
-
Size
130KB
-
MD5
a1f3805a56f9d5b37f28dcf2f029d26a
-
SHA1
6324484d0d840579e67bc143350211e391dd492b
-
SHA256
2adc62e232f429359cc1c348997cabd7188cbe1cafe3b88d2734167e01a54e1b
-
SHA512
54340a74e83ff7b113cf1b5a81fa564787d68e3bd081fcdb034f77719b0fcf26178c53d47a7f6ca39842f6573919fcc218b05cbc868917a5b66ce5c82308a776
-
SSDEEP
3072:8rLWT55IpoDoOyePCnKaOWR+EP2YxYIUSSXDKi5B:SpoMOy2CKN9u2YbAXDK
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Valak JavaScript Loader
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-