General
-
Target
220131-tqbb3al1qz_pw_infected.zip
-
Size
6.7MB
-
Sample
220201-y2rkmsbeg3
-
MD5
98f15a4e5a595c31af6f30cb472e8c5e
-
SHA1
370fc77d73b75b51ae4ee9e860cf097864c7fdde
-
SHA256
62fe0d20b451de5c3233c96364b4162386fcbfd555cd9fd099fa347c8e61fdfc
-
SHA512
79e285f180140ed12e069aa683649c02bd9aeecd9ab7754db493b6b4361de27fae36e72217b14bc066dc3759abeb58afc2fb20abaa36753af60c4b3d68e0397a
Static task
static1
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
redline
she
135.181.129.119:4805
Extracted
redline
media14
91.121.67.60:2151
Extracted
redline
ANI
194.104.136.5:46013
Targets
-
-
Target
02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135
-
Size
6.8MB
-
MD5
dcd0d8a4e476db4602f3beae6a60b4c9
-
SHA1
7906d0674d60685b06289db375eacf954e3185e3
-
SHA256
02ca2b5bb774890c50950ad93becc2851bac8d04c35464dad4854088c5db4135
-
SHA512
62301111141dcc72862dde4d277b4250c25bb7532105348bbb51e8ca30ded5c985016a61978509c271210faf50cbe5d789ce5f6de84511167b2c5131e8041bd8
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-