General
-
Target
76fa9ef84067fb655ebdbe972c6c575e35a8b656ae2cf1fa7149c4b357dd86e6
-
Size
221KB
-
Sample
221024-s1qztshear
-
MD5
4dc9febd77c4f23e3420d55811af12ef
-
SHA1
f21e96f3e83c83ca5977f5d567c1c495e2c9e59f
-
SHA256
76fa9ef84067fb655ebdbe972c6c575e35a8b656ae2cf1fa7149c4b357dd86e6
-
SHA512
788a7a17c2f3d3fcbcc4cb0f322ca8b5c7edd0618a60faa8634374e83d62eac6003f640413ce370638dcc6a106ee5904e9e49fdc21e7993dfd1074eb93d3c5b9
-
SSDEEP
3072:Aa28pNHJpImBPTVLtioH8wm6RRk5Be6uzSDOlLGu3+rLvk/Q6fetWs5:Aa/bhLZmgKe6uzRlbCLc/QKK
Static task
static1
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
embedded_hash
569235DCA8F16ED8310BBACCB674F896
-
type
loader
Extracted
vidar
55.2
937
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
937
Targets
-
-
Target
76fa9ef84067fb655ebdbe972c6c575e35a8b656ae2cf1fa7149c4b357dd86e6
-
Size
221KB
-
MD5
4dc9febd77c4f23e3420d55811af12ef
-
SHA1
f21e96f3e83c83ca5977f5d567c1c495e2c9e59f
-
SHA256
76fa9ef84067fb655ebdbe972c6c575e35a8b656ae2cf1fa7149c4b357dd86e6
-
SHA512
788a7a17c2f3d3fcbcc4cb0f322ca8b5c7edd0618a60faa8634374e83d62eac6003f640413ce370638dcc6a106ee5904e9e49fdc21e7993dfd1074eb93d3c5b9
-
SSDEEP
3072:Aa28pNHJpImBPTVLtioH8wm6RRk5Be6uzSDOlLGu3+rLvk/Q6fetWs5:Aa/bhLZmgKe6uzRlbCLc/QKK
-
Detects Smokeloader packer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-