General
-
Target
6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe
-
Size
7.3MB
-
Sample
211123-1w9kdabdck
-
MD5
131ac3c2f0495a301363e79f69c133e3
-
SHA1
c46b747d456bb5d805d005df6c6166fe546d4da1
-
SHA256
6d2ff3cc83ea214e33e4105ccb1051cd85b82e052f6152d7f252667f2f5a5ecb
-
SHA512
fc1ae5f07ed8207a49f5bd24e10090ba5a27ed743b05704fdf1d0c45f726108eb6d0cb075f4acf000e2b6b616e37cf3972f47aa4aee8b9ac43d8d1bcfbcf9c05
Static task
static1
Behavioral task
behavioral1
Sample
6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe
Resource
win7-en-20211104
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
redline
jamesfuck
65.108.20.195:6774
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Extracted
redline
ANI
45.142.215.47:27643
Targets
-
-
Target
6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe
-
Size
7.3MB
-
MD5
131ac3c2f0495a301363e79f69c133e3
-
SHA1
c46b747d456bb5d805d005df6c6166fe546d4da1
-
SHA256
6d2ff3cc83ea214e33e4105ccb1051cd85b82e052f6152d7f252667f2f5a5ecb
-
SHA512
fc1ae5f07ed8207a49f5bd24e10090ba5a27ed743b05704fdf1d0c45f726108eb6d0cb075f4acf000e2b6b616e37cf3972f47aa4aee8b9ac43d8d1bcfbcf9c05
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-