General
-
Target
bdae6a469baba91b2d5b54be5c4e5bfc0f07c6e6dfa20a0c26a6c3f336f20955
-
Size
12.5MB
-
Sample
220217-y8lyqsebe8
-
MD5
5c54816f877e9df7706273ecdb83e67d
-
SHA1
e25dc57c8da5a756eac05f4e80d34244e88f3b63
-
SHA256
bdae6a469baba91b2d5b54be5c4e5bfc0f07c6e6dfa20a0c26a6c3f336f20955
-
SHA512
cc47735f588d13f410fb473e8cf7103813f60f72a523eb97e376afe77f183ccd23b64f9cb4f87751a3c2ac4f2d407b3fac8c5eb23bd0ea8e2262a1b4ffab4aa6
Static task
static1
Behavioral task
behavioral1
Sample
bdae6a469baba91b2d5b54be5c4e5bfc0f07c6e6dfa20a0c26a6c3f336f20955.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
socelars
https://dhner.s3.ap-southeast-2.amazonaws.com/eyxjet/
Targets
-
-
Target
bdae6a469baba91b2d5b54be5c4e5bfc0f07c6e6dfa20a0c26a6c3f336f20955
-
Size
12.5MB
-
MD5
5c54816f877e9df7706273ecdb83e67d
-
SHA1
e25dc57c8da5a756eac05f4e80d34244e88f3b63
-
SHA256
bdae6a469baba91b2d5b54be5c4e5bfc0f07c6e6dfa20a0c26a6c3f336f20955
-
SHA512
cc47735f588d13f410fb473e8cf7103813f60f72a523eb97e376afe77f183ccd23b64f9cb4f87751a3c2ac4f2d407b3fac8c5eb23bd0ea8e2262a1b4ffab4aa6
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-