3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b.exe

General
Target

3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b.exe

Size

6MB

Sample

220127-wqh31sggcm

Score
10 /10
MD5

57127333600b753c8c5f51a1c01552fc

SHA1

2c11da3a3989e6970508e8b1db1913c9cd9c9e4d

SHA256

3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b

SHA512

c6fde41e4bf7032c28a9e4f587f6f0e9984e13468a972d9f41d4f09d030f5b671bcdc4a3a1df3ae5a0786cc44028265f319b873bec6393203c0bd7b9625c3645

Malware Config

Extracted

Family socelars
C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family redline
Botnet pab123
C2

45.14.49.169:22411

Extracted

Family redline
Botnet ANI
C2

45.142.215.47:27643

Extracted

Family redline
Botnet ruzkiKAKOYTO
C2

185.215.113.29:20819

Targets
Target

3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b.exe

MD5

57127333600b753c8c5f51a1c01552fc

Filesize

6MB

Score
10/10
SHA1

2c11da3a3989e6970508e8b1db1913c9cd9c9e4d

SHA256

3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b

SHA512

c6fde41e4bf7032c28a9e4f587f6f0e9984e13468a972d9f41d4f09d030f5b671bcdc4a3a1df3ae5a0786cc44028265f319b873bec6393203c0bd7b9625c3645

Tags

Signatures

  • Detected Djvu ransomware

  • Djvu Ransomware

    Description

    Ransomware which is a variant of the STOP family.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • RedLine Payload

  • Socelars

    Description

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    Tags

  • Socelars Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    Description

    suricata: ET MALWARE GCleaner Downloader Activity M5

    Tags

  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    Description

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    Tags

  • suricata: ET MALWARE Suspicious Download Setup_ exe

    Description

    suricata: ET MALWARE Suspicious Download Setup_ exe

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Description

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    Description

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    Tags

  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • VMProtect packed file

    Description

    Detects executables packed with VMProtect commercial packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Description

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation