General
-
Target
C9DE02209482359466292BE7BC0464FC65037698B38C1.exe
-
Size
5.1MB
-
Sample
211109-n4631accal
-
MD5
7d4ed604a4f010d09afd1b2c396d396f
-
SHA1
5576b3328390498bd9706c1e3b1e9e48dd478906
-
SHA256
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
-
SHA512
7533ecb26eb50b13b457295f3c5a6ad1765597926915642591fed5e8d89e22b10258d2fc2d5e148b4e23975d8a9afd6e18f9e136c8d8ad7034292c608a6cc664
Static task
static1
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
http://www.hhgenice.top/
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
redline
janesam
65.108.20.195:6774
Extracted
vidar
40.7
706
https://petrenko96.tumblr.com/
-
profile_id
706
Targets
-
-
Target
C9DE02209482359466292BE7BC0464FC65037698B38C1.exe
-
Size
5.1MB
-
MD5
7d4ed604a4f010d09afd1b2c396d396f
-
SHA1
5576b3328390498bd9706c1e3b1e9e48dd478906
-
SHA256
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
-
SHA512
7533ecb26eb50b13b457295f3c5a6ad1765597926915642591fed5e8d89e22b10258d2fc2d5e148b4e23975d8a9afd6e18f9e136c8d8ad7034292c608a6cc664
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-