Overview
overview
10Static
static
f4eb00edcb...d2.exe
windows7_x64
10f4eb00edcb...d2.exe
windows10_x64
10ee4355899a...0b.exe
windows7_x64
1ee4355899a...0b.exe
windows10_x64
1e5d61c0b7d...0f.exe
windows7_x64
10e5d61c0b7d...0f.exe
windows10_x64
10e2ffb8aeeb...f6.exe
windows7_x64
10e2ffb8aeeb...f6.exe
windows10_x64
7d965344c14...19.exe
windows7_x64
10d965344c14...19.exe
windows10_x64
10d097ca2583...22.exe
windows7_x64
10d097ca2583...22.exe
windows10_x64
10ca14b87b56...83.exe
windows7_x64
10ca14b87b56...83.exe
windows10_x64
10bc6dfe9ae5...09.exe
windows7_x64
3bc6dfe9ae5...09.exe
windows10_x64
3b645101f39...21.exe
windows7_x64
10b645101f39...21.exe
windows10_x64
109c4880a98c...82.exe
windows7_x64
109c4880a98c...82.exe
windows10_x64
1096c9fde298...34.exe
windows7_x64
1096c9fde298...34.exe
windows10_x64
1088e993e974...2f.exe
windows7_x64
1088e993e974...2f.exe
windows10_x64
10809ed9e2d0...41.exe
windows7_x64
10809ed9e2d0...41.exe
windows10_x64
107dc7ca2414...84.exe
windows7_x64
107dc7ca2414...84.exe
windows10_x64
10775338ae18...e4.exe
windows7_x64
10775338ae18...e4.exe
windows10_x64
105cb26af890...00.exe
windows7_x64
105cb26af890...00.exe
windows10_x64
10General
-
Target
6050639261106176.zip
-
Size
49.7MB
-
Sample
211110-segh9shcd2
-
MD5
219ac0109c3e07842f790b412fec94ba
-
SHA1
4f8ef33c738aff58136f4589dc547fef41656c75
-
SHA256
54dd0b1767570b23927b3959b1b53e2184b604eec29f168ca5f2b644a438309f
-
SHA512
df78fb954a8a19797030e016a797fed8622de9f7d0fb106ca91f3149a889b5693f317886b2b3274b254376675a15b3a17beabc1d683761211adc1d5502939cc9
Static task
static1
Behavioral task
behavioral1
Sample
f4eb00edcbe216c7520fee4b0bb806e612c5a78c5d3da46f1f6fed3678dacad2.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
f4eb00edcbe216c7520fee4b0bb806e612c5a78c5d3da46f1f6fed3678dacad2.exe
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b.exe
Resource
win7-en-20211104
Behavioral task
behavioral4
Sample
ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
e5d61c0b7d3bea5c6fb6df58e067be3f5d6d31b17d0e193f170c73bc0523250f.exe
Resource
win7-en-20211104
Behavioral task
behavioral6
Sample
e5d61c0b7d3bea5c6fb6df58e067be3f5d6d31b17d0e193f170c73bc0523250f.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win7-en-20211104
Behavioral task
behavioral8
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
d965344c145a82ea6fcb32c42f683a15e27914bd9f243cb55782c367eeb17d19.exe
Resource
win7-en-20211104
Behavioral task
behavioral10
Sample
d965344c145a82ea6fcb32c42f683a15e27914bd9f243cb55782c367eeb17d19.exe
Resource
win10-en-20211104
Behavioral task
behavioral11
Sample
d097ca2583425f648592138b57562334c0b83d3179634fd43a0b611bdf720122.exe
Resource
win7-en-20211014
Behavioral task
behavioral12
Sample
d097ca2583425f648592138b57562334c0b83d3179634fd43a0b611bdf720122.exe
Resource
win10-en-20211104
Behavioral task
behavioral13
Sample
ca14b87b565c6b1c90eb3365bed694bd9e8a8b3d0ab6e3ca0c680baec6422f83.exe
Resource
win7-en-20211014
Behavioral task
behavioral14
Sample
ca14b87b565c6b1c90eb3365bed694bd9e8a8b3d0ab6e3ca0c680baec6422f83.exe
Resource
win10-en-20211104
Behavioral task
behavioral15
Sample
bc6dfe9ae53c745b83810c092635dee8d3a5e58fda2e91552cc5683399568c09.exe
Resource
win7-en-20211014
Behavioral task
behavioral16
Sample
bc6dfe9ae53c745b83810c092635dee8d3a5e58fda2e91552cc5683399568c09.exe
Resource
win10-en-20211104
Behavioral task
behavioral17
Sample
b645101f39b30453587d2cfbc674bc105c9dcb2195f7fda87fb7d3debac57b21.exe
Resource
win7-en-20211104
Behavioral task
behavioral18
Sample
b645101f39b30453587d2cfbc674bc105c9dcb2195f7fda87fb7d3debac57b21.exe
Resource
win10-en-20211014
Behavioral task
behavioral19
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win7-en-20211104
Behavioral task
behavioral20
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10-en-20211014
Behavioral task
behavioral21
Sample
96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe
Resource
win7-en-20211104
Behavioral task
behavioral22
Sample
96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
88e993e9749fc01b654faadb511143d5f6530496ac1013d075342a053d64bb2f.exe
Resource
win7-en-20211104
Behavioral task
behavioral24
Sample
88e993e9749fc01b654faadb511143d5f6530496ac1013d075342a053d64bb2f.exe
Resource
win10-en-20211104
Behavioral task
behavioral25
Sample
809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741.exe
Resource
win7-en-20211014
Behavioral task
behavioral26
Sample
809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741.exe
Resource
win10-en-20211104
Behavioral task
behavioral27
Sample
7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe
Resource
win7-en-20211014
Behavioral task
behavioral28
Sample
7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe
Resource
win10-en-20211104
Behavioral task
behavioral29
Sample
775338ae182f692416e822b49ee9450ccf484f7bf179111cff7058c12fe29be4.exe
Resource
win7-en-20211014
Behavioral task
behavioral30
Sample
775338ae182f692416e822b49ee9450ccf484f7bf179111cff7058c12fe29be4.exe
Resource
win10-en-20211104
Behavioral task
behavioral31
Sample
5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00.exe
Resource
win7-en-20211104
Behavioral task
behavioral32
Sample
5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00.exe
Resource
win10-en-20211014
Malware Config
Extracted
vidar
41.5
933
https://mas.to/@xeroxxx
-
profile_id
933
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Extracted
redline
media20
91.121.67.60:2151
Extracted
vidar
48.1
937
-
profile_id
937
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
redline
she
135.181.129.119:4805
Extracted
redline
media15
91.121.67.60:2151
Extracted
redline
ANI
194.104.136.5:46013
Extracted
vidar
41.4
916
https://mas.to/@sslam
-
profile_id
916
Targets
-
-
Target
5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00
-
Size
92KB
-
MD5
bc1448e17d086d57f635c7079c1bc773
-
SHA1
1db1cb05523982e613b2e7977472f3adda47c1a2
-
SHA256
5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00
-
SHA512
5b9c65f7e766560e2ccbc6a2aeba3dbbc1eeaca77eb57f2511155dcc86149d448d9780c9328562ff353aba8e4f90adc5c84ac9dcce509efe99cde56768c2f867
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar Stealer
-
XMRig Miner Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
775338ae182f692416e822b49ee9450ccf484f7bf179111cff7058c12fe29be4
-
Size
5.6MB
-
MD5
7e6b1e9e80bb32a34426aecc480c18ac
-
SHA1
1b776dd0f22d0395fa9d0f11b244d6dc0a6b3671
-
SHA256
775338ae182f692416e822b49ee9450ccf484f7bf179111cff7058c12fe29be4
-
SHA512
ba00595038c7a65ab4e811d339e928d7f00a73ce706bcb9b2eaa5af2356199eecc44cd4f35fe7f2e05bbc48d1bab2c877071ac759658a4ff7579d43842d88831
Score1/10 -
-
-
Target
7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084
-
Size
96KB
-
MD5
c202f1103c957930ec4cc01b43dfd472
-
SHA1
ffed9fc2e035d31f1b2e098471e8ec70334ff9fc
-
SHA256
7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084
-
SHA512
569aa632a2677cb9d1b0186f19676161853ceea55cb6ee94cfcc6ad4b558c57a2694ab0d2dc541484e4099530b2aab742b95d08c093150efa6585d98ce6356e4
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741
-
Size
6.8MB
-
MD5
85fdfaf0375116479cb4d27c7bfd1263
-
SHA1
64f6c4fafa6477128a4594435c6160a94c29a269
-
SHA256
809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741
-
SHA512
91a50317af88a6f5c33f471f771c04cb56aa5228bceeb94336d10d7934c056fcd682c5f20ad693399ed02be142173c60f28a1884664ead07dbdec312674b4a5b
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
88e993e9749fc01b654faadb511143d5f6530496ac1013d075342a053d64bb2f
-
Size
96KB
-
MD5
1c58be0a33997195e1e9dbc5b9298ec6
-
SHA1
b60217ccbfd99efacb9388cdb0e4739279613892
-
SHA256
88e993e9749fc01b654faadb511143d5f6530496ac1013d075342a053d64bb2f
-
SHA512
4408bc064dd2a937070142d6c924473a67a17a34353f8cee3ae6156831fc06901ca9bdb377f8fb9600e04ffcd243826cded4f6afe730fda579414c3d2cbfd724
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434
-
Size
7.0MB
-
MD5
42fff45c940c819040ca8920fbb405cc
-
SHA1
753821199880873e232bbe95ab2beb4ad0b6797c
-
SHA256
96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434
-
SHA512
7943f9d50e11fae6e3bc1a2fdf05bf5a1a96e3366948157ae1067e4f7834f692f1d2a59cf7fe4ef13e773596ca5a0ad26d62bbd285412550c01d02c1d4f7a05f
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
-
Size
3.6MB
-
MD5
9725f7f222530388cb2743504a6e0667
-
SHA1
56d0eb91855e326b050c904147f4d9dafc596d70
-
SHA256
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
-
SHA512
ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
b645101f39b30453587d2cfbc674bc105c9dcb2195f7fda87fb7d3debac57b21
-
Size
96KB
-
MD5
827ae659131c0058086d9b38bf378523
-
SHA1
0ffcbf3097f6c0487469f728d28622f28843ffff
-
SHA256
b645101f39b30453587d2cfbc674bc105c9dcb2195f7fda87fb7d3debac57b21
-
SHA512
c44b71e1e4ca4bf5ac6686ee0fd31768114d58c8afd5b1fc952a3af7dab3438a3309dca5ef8fe97ffb0a3b2525e5cd77692a0d031a9fb134b0721e5c99cfba07
Score3/10 -
-
-
Target
bc6dfe9ae53c745b83810c092635dee8d3a5e58fda2e91552cc5683399568c09
-
Size
8KB
-
MD5
8c9e935bccc4fac6b11920ef96927aac
-
SHA1
38bd94eb5a5ef481a1e7c5192d9f824b7a16d792
-
SHA256
bc6dfe9ae53c745b83810c092635dee8d3a5e58fda2e91552cc5683399568c09
-
SHA512
cfd3f54aa0d8cc53388c3fe9e663a6b89a447c38873a3ccf7d658468928c9967e5c1ae7d2f4775ceb5d9b5553c640020fc858ea609190d61df68dec0cc3f2884
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
ca14b87b565c6b1c90eb3365bed694bd9e8a8b3d0ab6e3ca0c680baec6422f83
-
Size
89KB
-
MD5
a56c80f6cef4b2466024b6af88123183
-
SHA1
7d8d3a50f5b1239736423dbb0b1226d59bd1988a
-
SHA256
ca14b87b565c6b1c90eb3365bed694bd9e8a8b3d0ab6e3ca0c680baec6422f83
-
SHA512
11c26244e282d37c7587a5838624bd2f310a0842add9fde6abb8150138e5d190438cc54e4e2df1d1985fc453600207d9f35effa290748ef05418534131128cd3
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
d097ca2583425f648592138b57562334c0b83d3179634fd43a0b611bdf720122
-
Size
89KB
-
MD5
dc534760d1110201433d670e90ac2ed2
-
SHA1
4ece22c0a4bde2a2f2936d87d9d6acb5668c3c78
-
SHA256
d097ca2583425f648592138b57562334c0b83d3179634fd43a0b611bdf720122
-
SHA512
e9889d072e9cb89201d5a64c7b507066f3edd8e4cf5cc56dea82677f69fb00fff5f1fe627ac9612e9bbd2d864afc91251313e32a403462f1fc572121240e3f99
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar Stealer
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
d965344c145a82ea6fcb32c42f683a15e27914bd9f243cb55782c367eeb17d19
-
Size
96KB
-
MD5
bf704f182bbb859d29f5fad29017fc7a
-
SHA1
16ac48c6e870bcb9a1932669e48c6037a4f45126
-
SHA256
d965344c145a82ea6fcb32c42f683a15e27914bd9f243cb55782c367eeb17d19
-
SHA512
79dcdbe815be041f2ca6bd4151e77283cf674575aab917ab33555ab9ab185413b9dadabc06aa0d878a3ada53a5a52f81f755dcc066c014d46492f3f0f871a248
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6
-
Size
834KB
-
MD5
2c25a0926e5228d2205b3b8c8ef4d7f4
-
SHA1
5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409
-
SHA256
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6
-
SHA512
cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
e5d61c0b7d3bea5c6fb6df58e067be3f5d6d31b17d0e193f170c73bc0523250f
-
Size
3.6MB
-
MD5
97ac68892705d183935837037e6cc7f8
-
SHA1
b143ca62207abd532628cd9bd7b30328b280c75f
-
SHA256
e5d61c0b7d3bea5c6fb6df58e067be3f5d6d31b17d0e193f170c73bc0523250f
-
SHA512
d95128cc75f2bb241afdf6b54db331a33a3b1d40416aacc31a5524371455f5e6d08c06b686864089b553b71b2a272de9d7243f346ec72c65c631270597de4a8b
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b
-
Size
8KB
-
MD5
69f0fe993f6e63c9e7a2b739ec956e82
-
SHA1
6f9a1b7a9fceac26722da17e204f57a47d7b66a5
-
SHA256
ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b
-
SHA512
1f81e0b8c3a5748a2aa47e02f8b1c1fc09e8d81871a607a148343ac3c579b82685f41eddf2070976a31aabccef0e70303c05d30e0c78c287a5c478c886185b1a
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
-
-
Target
f4eb00edcbe216c7520fee4b0bb806e612c5a78c5d3da46f1f6fed3678dacad2
-
Size
1.6MB
-
MD5
5f84034c670130aa2f3959e8b2f516de
-
SHA1
46b026c3a74b5770c0da55760f143d6d86cb6d5f
-
SHA256
f4eb00edcbe216c7520fee4b0bb806e612c5a78c5d3da46f1f6fed3678dacad2
-
SHA512
7f4847b630b9529cbd495b17221e6562cb694fddf36babd1ff40811f71060027732dd1dacd7899b8479f41f2f4adc31c7f7b8757440d6f4bf7b6edcc4f07156a
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-