General
-
Target
991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe
-
Size
7.3MB
-
Sample
211130-rmav1sacg9
-
MD5
c359e494265926fee7567c9565c363dd
-
SHA1
0daacd8bcc4867a67cfe9a08514de7ec1f56524e
-
SHA256
991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f
-
SHA512
62d4e89064dfd85c3130b670ecb14ac201aa7302ed8d556eddb1c9ab9866a5363e500313c4ae71763b32141e04e1b12ff64094d4c9f62683a0ae0927fd57b9e7
Static task
static1
Behavioral task
behavioral1
Sample
991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe
Resource
win10-en-20211104
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Extracted
redline
jamesfuck
65.108.20.195:6774
Extracted
redline
ANI
45.142.215.47:27643
Extracted
raccoon
1.8.3-hotfix
fe1f102f3334068962b64125bcb00816dba46087
-
url4cnc
http://91.219.236.27/ocherednyara1
http://5.181.156.92/ocherednyara1
http://91.219.236.207/ocherednyara1
http://185.225.19.18/ocherednyara1
http://91.219.237.227/ocherednyara1
https://t.me/ocherednyara1
Targets
-
-
Target
991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe
-
Size
7.3MB
-
MD5
c359e494265926fee7567c9565c363dd
-
SHA1
0daacd8bcc4867a67cfe9a08514de7ec1f56524e
-
SHA256
991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f
-
SHA512
62d4e89064dfd85c3130b670ecb14ac201aa7302ed8d556eddb1c9ab9866a5363e500313c4ae71763b32141e04e1b12ff64094d4c9f62683a0ae0927fd57b9e7
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-