General
Target

70E14DDF23A5FE3D69CC50752FCC491AA2964A2CFEE3D.exe

Size

5MB

Sample

220125-hqya2sagh2

Score
10/10
MD5

b6038cccff037514a3cd3a2346abaa27

SHA1

eb6bc44515419244e194d1b2694aca570ba91f7a

SHA256

70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953

SHA512

2a05f2e531078b011ce5fd45ff8dcc9a0de8d045aa80230f6b79a02330064561db19a68cde4be3717b92e08067d7c063712cb2ed2cd9de8aa616162506cf407b

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

chris

C2

194.104.136.5:46013

Extracted

Family

redline

Botnet

sert23

C2

135.181.129.119:4805

Extracted

Family

redline

Botnet

media26

C2

91.121.67.60:23325

Targets
Target

70E14DDF23A5FE3D69CC50752FCC491AA2964A2CFEE3D.exe

MD5

b6038cccff037514a3cd3a2346abaa27

Filesize

5MB

Score
10/10
SHA1

eb6bc44515419244e194d1b2694aca570ba91f7a

SHA256

70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953

SHA512

2a05f2e531078b011ce5fd45ff8dcc9a0de8d045aa80230f6b79a02330064561db19a68cde4be3717b92e08067d7c063712cb2ed2cd9de8aa616162506cf407b

Tags

Signatures

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Description

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation