Overview

overview

10

Static

static

Setup_x32_x64.exe

windows7_x64

10

Setup_x32_x64.exe

windows10-2004_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup_x32_x64.exe

  • Size

    2.6MB

  • Sample

    220202-dc2n4aegfr

  • MD5

    752b5d56168b131d484cc84222f26104

  • SHA1

    f6adc3b4edc27649dc1d9e3dca9dd2bdfc5e6109

  • SHA256

    155861db5cd0ff2110fbf198d8c969b9577f74024eee5e4a62d47bf1c3958b1a

  • SHA512

    c904f69627b6e0d0a933970a1d43552843f1616b2a23f8b018f91e4ec7c0dd78d02db43e3a9406e97863595de07d8e4c8f6e42492b870655e49f7802533de5a5

Score
10/10
redlinesocelarspablicherdiscoveryevasioninfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

redline

Botnet

Pablicher

C2

185.215.113.10:39759

Extracted

Family

socelars

C2

http://www.anquyebt.com/

Targets

    • Target

      Setup_x32_x64.exe

    • Size

      2.6MB

    • MD5

      752b5d56168b131d484cc84222f26104

    • SHA1

      f6adc3b4edc27649dc1d9e3dca9dd2bdfc5e6109

    • SHA256

      155861db5cd0ff2110fbf198d8c969b9577f74024eee5e4a62d47bf1c3958b1a

    • SHA512

      c904f69627b6e0d0a933970a1d43552843f1616b2a23f8b018f91e4ec7c0dd78d02db43e3a9406e97863595de07d8e4c8f6e42492b870655e49f7802533de5a5

    Score
    10/10
    redlinesocelarspablicherdiscoveryevasioninfostealerspywarestealersuricatatrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks