General
-
Target
password_is_7364857387____sketchup-pro-20.zip
-
Size
10.5MB
-
Sample
211125-1t62gaghhp
-
MD5
c0a29eed1efa12f97b9019720e43fa19
-
SHA1
3bfad68c32d0b43c157d68eee466ffaa2405c87b
-
SHA256
2fa123bb89814a5aee72cac76db7c3e5c390708ea7334a002d806af1349ee192
-
SHA512
46dfb833a04f2f722210022a32f6f3590b7e35b72f0d4aed95d55389b8db865414ca5f2b14331deb87ee9006f8bd915a49dbe4008b05cc2b0c3ec29ead0a8862
Static task
static1
Malware Config
Extracted
socelars
http://www.ecgbg.com/
Extracted
redline
media25p
65.108.69.168:16278
Extracted
redline
user01new
49.12.219.50:4846
Targets
-
-
Target
setup_x86_x64_install.exe
-
Size
10.5MB
-
MD5
7dbcda13214a7877ddd5e58fdec24aed
-
SHA1
8feba771d98a710e47f3450cb2c7717c2de86fbe
-
SHA256
25f17e53e15c109c0c329c3f51ce2256357b549044409007f5c7e858edcf0d28
-
SHA512
78debe045bb8b138946e58a277e45d6c1ec838291935dccd3a3264e467bf81c6aa204bf37dab80296cb8fea22360e723228e2bfa7dae19a128f373ccd0ebee24
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-