General
-
Target
6395021564739584.zip
-
Size
12.0MB
-
Sample
211124-ywx58sdegp
-
MD5
d65f6e5ce5f840a87a7fed04b9ed3198
-
SHA1
83700f6332b5268d4be3f46f6c77fff5122c8224
-
SHA256
de1f79678a8e6e8b054f86159dcc8d51b9b67bb92984c2cd4bb9e0992a08c09c
-
SHA512
406ca4d72558d7bc55c5190e66a0358ea48a62978077165e4c21aa43e06a811fdc7ef4d50429e4e95f3875c46fe0192016df6abb115078feb3a9db631766a543
Static task
static1
Behavioral task
behavioral1
Sample
bf00b8c65f1395322dace66b98f284510e944cbc1ede21a67db3d2e1b708a56c.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
bf00b8c65f1395322dace66b98f284510e944cbc1ede21a67db3d2e1b708a56c.exe
Resource
win10-en-20211104
Malware Config
Extracted
socelars
http://www.ecgbg.com/
Extracted
vidar
48.7
933
https://mstdn.social/@anapa
https://mastodon.social/@mniami
-
profile_id
933
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Targets
-
-
Target
bf00b8c65f1395322dace66b98f284510e944cbc1ede21a67db3d2e1b708a56c
-
Size
12.0MB
-
MD5
da65ebd977d40f6c092bbc1d82397427
-
SHA1
20d6f93c358c72476cec6ac750ba1f0c364c6e26
-
SHA256
bf00b8c65f1395322dace66b98f284510e944cbc1ede21a67db3d2e1b708a56c
-
SHA512
cc44c5cc84a085a8abc7c71e8733e91bd08274047dc145d39fd36bf41e5c1abe66b66e6db2cdd392081593f18e0e2c816e0f4b0d4a927437a356a6c601722c38
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-