General
-
Target
bfa68a461642099d9cee4db76cf0f4fa93e7718e9dd9ed4ff0f5aa891150622d
-
Size
11.0MB
-
Sample
220219-q6zg2sadg8
-
MD5
b0f27988343b88109e3619ec71ba1ea6
-
SHA1
89dae3b3297c3f872af2387200658defa9e29053
-
SHA256
bfa68a461642099d9cee4db76cf0f4fa93e7718e9dd9ed4ff0f5aa891150622d
-
SHA512
62e70b79c90b1093c793f3f02b7e9fcdbd0ffc7fe3a3584c894c2a1fc844449bf7145c4785f9bd841b35dffb8d4f4073c79a3e5dd55ecf72f4dd96cac3c94f63
Static task
static1
Malware Config
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/sagdys/
Targets
-
-
Target
bfa68a461642099d9cee4db76cf0f4fa93e7718e9dd9ed4ff0f5aa891150622d
-
Size
11.0MB
-
MD5
b0f27988343b88109e3619ec71ba1ea6
-
SHA1
89dae3b3297c3f872af2387200658defa9e29053
-
SHA256
bfa68a461642099d9cee4db76cf0f4fa93e7718e9dd9ed4ff0f5aa891150622d
-
SHA512
62e70b79c90b1093c793f3f02b7e9fcdbd0ffc7fe3a3584c894c2a1fc844449bf7145c4785f9bd841b35dffb8d4f4073c79a3e5dd55ecf72f4dd96cac3c94f63
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-