Malware sandboxing report by Hatching Triage

Sharing

General

Target

3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b.exe
Size

6MB
Sample

220127-wqh31sggcm
MD5

57127333600b753c8c5f51a1c01552fc
SHA1

2c11da3a3989e6970508e8b1db1913c9cd9c9e4d
SHA256

3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b
SHA512

c6fde41e4bf7032c28a9e4f587f6f0e9984e13468a972d9f41d4f09d030f5b671bcdc4a3a1df3ae5a0786cc44028265f319b873bec6393203c0bd7b9625c3645

Score

10^/10

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

pab123

45.14.49.169:22411

Extracted

Family

redline

Botnet

ANI

45.142.215.47:27643

Extracted

Family

redline

Botnet

ruzkiKAKOYTO

185.215.113.29:20819

Targets

- Target
  
  3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b.exe
- Size
  
  6MB
- MD5
  
  57127333600b753c8c5f51a1c01552fc
- SHA1
  
  2c11da3a3989e6970508e8b1db1913c9cd9c9e4d
- SHA256
  
  3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b
- SHA512
  
  c6fde41e4bf7032c28a9e4f587f6f0e9984e13468a972d9f41d4f09d030f5b671bcdc4a3a1df3ae5a0786cc44028265f319b873bec6393203c0bd7b9625c3645
Score

10^/10

djvu redline socelars ani pab123 ruzkikakoyto aspackv2 evasion infostealer ransomware spyware stealer suricata trojan vmprotect
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata
- suricata: ET MALWARE Suspicious Download Setup_ exe
  suricata: ET MALWARE Suspicious Download Setup_ exe
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
  suricata
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

Disabling Security Tools

T1089

Web Service

T1102

Modify Registry

T1112

Install Root Certificate

T1130

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Modify Existing Service

T1031

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Detected Djvu ransomware

Djvu Ransomware

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine Payload

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata: ET MALWARE Suspicious Download Setup_ exe

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2