General
-
Target
423ADCAA5B1076A3871837BCFC61177CDDEC9C5F30E34.exe
-
Size
4MB
-
Sample
211107-ws6xvsagh5
-
MD5
071b5bc431a3854d1c55e44a8fe01e1f
-
SHA1
815cf908a4ddbe8b2a5a76b7eb8cf927eac7c558
-
SHA256
423adcaa5b1076a3871837bcfc61177cddec9c5f30e34b8c112c6a1985c868aa
-
SHA512
a0364d4c2ccdfcc96c1f23ea918a088de5a70733c61c42e2bdfa9a7f1b03069b8ee8cfbcadff593c2fdbc05023b351e7b864cebd80c2d991d1ad29d9928f4967
Static task
static1
Behavioral task
behavioral1
Sample
423ADCAA5B1076A3871837BCFC61177CDDEC9C5F30E34.exe
Resource
win7-en-20211104
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
Extracted
vidar
40.7
706
https://petrenko96.tumblr.com/
-
profile_id
706
Extracted
redline
pab123
45.14.49.169:22411
Extracted
redline
ANI
45.142.215.47:27643
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
vidar
47.9
937
https://mas.to/@kirpich
-
profile_id
937
Extracted
redline
janesam
65.108.20.195:6774
Targets
-
-
Target
423ADCAA5B1076A3871837BCFC61177CDDEC9C5F30E34.exe
-
Size
4MB
-
MD5
071b5bc431a3854d1c55e44a8fe01e1f
-
SHA1
815cf908a4ddbe8b2a5a76b7eb8cf927eac7c558
-
SHA256
423adcaa5b1076a3871837bcfc61177cddec9c5f30e34b8c112c6a1985c868aa
-
SHA512
a0364d4c2ccdfcc96c1f23ea918a088de5a70733c61c42e2bdfa9a7f1b03069b8ee8cfbcadff593c2fdbc05023b351e7b864cebd80c2d991d1ad29d9928f4967
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-