General
-
Target
1E4B2AF07CB9E6478DBF5051E1839A1F944E950A6F2DB.exe
-
Size
4.2MB
-
Sample
220205-akggcagabm
-
MD5
fa9abc629c67c188f165366e2fe30971
-
SHA1
f3bee20db3275d737e18a28f9020379e73e5a226
-
SHA256
1e4b2af07cb9e6478dbf5051e1839a1f944e950a6f2dbadc94446928e46e7d45
-
SHA512
833e8a456d8fb0644b5fa8c619b5fac68d8b0a78baacf5e9f4a1a89405112ed08460bd545d10e18ac2015e3b17807a49b40eebdda2878b483e96d2f9a2f938ca
Static task
static1
Behavioral task
behavioral1
Sample
1E4B2AF07CB9E6478DBF5051E1839A1F944E950A6F2DB.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1E4B2AF07CB9E6478DBF5051E1839A1F944E950A6F2DB.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
redline
jamesoldd
65.108.20.195:6774
Extracted
redline
ANI
45.142.215.47:27643
Targets
-
-
Target
1E4B2AF07CB9E6478DBF5051E1839A1F944E950A6F2DB.exe
-
Size
4.2MB
-
MD5
fa9abc629c67c188f165366e2fe30971
-
SHA1
f3bee20db3275d737e18a28f9020379e73e5a226
-
SHA256
1e4b2af07cb9e6478dbf5051e1839a1f944e950a6f2dbadc94446928e46e7d45
-
SHA512
833e8a456d8fb0644b5fa8c619b5fac68d8b0a78baacf5e9f4a1a89405112ed08460bd545d10e18ac2015e3b17807a49b40eebdda2878b483e96d2f9a2f938ca
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-