General
-
Target
3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b.exe
-
Size
6.9MB
-
Sample
220127-wqh31sggcm
-
MD5
57127333600b753c8c5f51a1c01552fc
-
SHA1
2c11da3a3989e6970508e8b1db1913c9cd9c9e4d
-
SHA256
3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b
-
SHA512
c6fde41e4bf7032c28a9e4f587f6f0e9984e13468a972d9f41d4f09d030f5b671bcdc4a3a1df3ae5a0786cc44028265f319b873bec6393203c0bd7b9625c3645
Static task
static1
Behavioral task
behavioral1
Sample
3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b.exe
Resource
win7-en-20211208
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
Extracted
redline
pab123
45.14.49.169:22411
Extracted
redline
ANI
45.142.215.47:27643
Extracted
redline
ruzkiKAKOYTO
185.215.113.29:20819
Targets
-
-
Target
3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b.exe
-
Size
6.9MB
-
MD5
57127333600b753c8c5f51a1c01552fc
-
SHA1
2c11da3a3989e6970508e8b1db1913c9cd9c9e4d
-
SHA256
3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b
-
SHA512
c6fde41e4bf7032c28a9e4f587f6f0e9984e13468a972d9f41d4f09d030f5b671bcdc4a3a1df3ae5a0786cc44028265f319b873bec6393203c0bd7b9625c3645
-
Detected Djvu ransomware
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Suspicious Download Setup_ exe
suricata: ET MALWARE Suspicious Download Setup_ exe
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-