Resubmissions
04-06-2023 21:35
230604-1fcwgadg89 1013-02-2022 03:16
220213-dsq8asfbej 1013-02-2022 03:12
220213-dqagrsdda9 1013-02-2022 03:11
220213-dpxwnsfbdq 106-12-2021 20:39
211206-zflypsfahr 1019-10-2021 03:48
211019-ec1mgafbf7 1011-08-2021 05:28
210811-rjsxfvjxd2 1011-08-2021 05:07
210811-rs31ylg4ls 1011-08-2021 04:56
210811-tvaldfm4jx 10General
-
Target
Setup.exe
-
Size
1.6MB
-
Sample
211206-zflypsfahr
-
MD5
ce6eaa52767b2df78b34519231966588
-
SHA1
ab32d09951189022a1a39e9204ec9ce2926b3fcf
-
SHA256
40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
-
SHA512
36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067
Static task
static1
Malware Config
Extracted
socelars
http://www.wgqpw.com/
Extracted
xloader
2.5
pm8c
http://www.jiaoyim9.xyz/pm8c/
texascyclerepair.com
torontopearsonairportlimos.com
joycegsy.com
westsrocks.com
em-on-to-u-fan-ian.com
peopletruckerinsurance.com
viaency.com
cyberfortgroup.cloud
gosecure.info
adsmedis.com
vikinghoneywines.com
scholarsreincarnation.online
dailyporncomics.com
crassbastards.com
weientm.com
directiontoafunlife.com
omaryargelia.net
vicivendas.com
whitesource.xyz
peoplesforgiveness.com
rotiesera.com
708090.info
linsfor.com
bioficrypto.com
paulinascounselling.com
countriboicannabis.com
testepsidialog.com
beautytipsexpert.com
g20hotels.com
recountpor.xyz
iphone13mini.radio
seasaltcanvasco.com
gorgeouswarm.com
chatterplate.net
friendsofrythmia.com
cozumelsexpress.com
deliverydriverclaims.online
177431.com
ebudgetrentals.com
dbuding.com
ubsproperty.com
weicaigyl.com
avonsex.com
bmw915.xyz
68145.online
mxscarves.store
yudundt.com
gaimubori.xyz
surffikauppa.com
martegeo-stylishhome.online
unviajeinsospechado.com
thurgauer.com
rufus-global.com
loong3d.online
searakloset.com
whistlergardencenter.com
fuzzyoldman.net
repippo.com
neutralblocker.com
foundationsoflearning.com
mgastor.com
babyadvices.com
jonnystokes.com
soyeniu.com
Extracted
redline
RUZKI
185.215.113.29:26828
Targets
-
-
Target
Setup.exe
-
Size
1.6MB
-
MD5
ce6eaa52767b2df78b34519231966588
-
SHA1
ab32d09951189022a1a39e9204ec9ce2926b3fcf
-
SHA256
40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
-
SHA512
36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Download Setup_ exe
suricata: ET MALWARE Suspicious Download Setup_ exe
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Xloader Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-