General

  • Target

    659a82dba8a06187307558027d618639a3203d7395552e91781969e86b2d199d

  • Size

    30KB

  • Sample

    221220-rymzqadb61

  • MD5

    0f8ffd303727f8c19ebb3ee033d5c26f

  • SHA1

    3eac789899a1f930c36f810889d3e7b8ff915bc0

  • SHA256

    659a82dba8a06187307558027d618639a3203d7395552e91781969e86b2d199d

  • SHA512

    bfba532ad66f1cd93b18a08e35d6bcf1fd66eafe999dc72c865f2828ec132d701347371c708d3b16b9cda5f4b90c8dfb1a2ffbd1b6bc0385104207a84b930731

  • SSDEEP

    768:Nf2z5wdkk846MlpaOucO4h9tnB95Cc6NirsQMFXDTRaU:NAIkk84Hp/vl6XXDk

Malware Config

Extracted

Family

redline

Botnet

mario23_10

C2

167.235.252.160:10642

Attributes
  • auth_value

    eca57cfb5172f71dc45986763bb98942

Targets

    • Target

      659a82dba8a06187307558027d618639a3203d7395552e91781969e86b2d199d

    • Size

      30KB

    • MD5

      0f8ffd303727f8c19ebb3ee033d5c26f

    • SHA1

      3eac789899a1f930c36f810889d3e7b8ff915bc0

    • SHA256

      659a82dba8a06187307558027d618639a3203d7395552e91781969e86b2d199d

    • SHA512

      bfba532ad66f1cd93b18a08e35d6bcf1fd66eafe999dc72c865f2828ec132d701347371c708d3b16b9cda5f4b90c8dfb1a2ffbd1b6bc0385104207a84b930731

    • SSDEEP

      768:Nf2z5wdkk846MlpaOucO4h9tnB95Cc6NirsQMFXDTRaU:NAIkk84Hp/vl6XXDk

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks