General
-
Target
Setup_x32_x64.exe
-
Size
2.6MB
-
Sample
220202-dc2n4aegfr
-
MD5
752b5d56168b131d484cc84222f26104
-
SHA1
f6adc3b4edc27649dc1d9e3dca9dd2bdfc5e6109
-
SHA256
155861db5cd0ff2110fbf198d8c969b9577f74024eee5e4a62d47bf1c3958b1a
-
SHA512
c904f69627b6e0d0a933970a1d43552843f1616b2a23f8b018f91e4ec7c0dd78d02db43e3a9406e97863595de07d8e4c8f6e42492b870655e49f7802533de5a5
Static task
static1
Behavioral task
behavioral1
Sample
Setup_x32_x64.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Setup_x32_x64.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
redline
Pablicher
185.215.113.10:39759
Extracted
socelars
http://www.anquyebt.com/
Targets
-
-
Target
Setup_x32_x64.exe
-
Size
2.6MB
-
MD5
752b5d56168b131d484cc84222f26104
-
SHA1
f6adc3b4edc27649dc1d9e3dca9dd2bdfc5e6109
-
SHA256
155861db5cd0ff2110fbf198d8c969b9577f74024eee5e4a62d47bf1c3958b1a
-
SHA512
c904f69627b6e0d0a933970a1d43552843f1616b2a23f8b018f91e4ec7c0dd78d02db43e3a9406e97863595de07d8e4c8f6e42492b870655e49f7802533de5a5
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-