General
-
Target
23f5da2cc1bb5df46b138d875ac4b64ea27aa27a2cbf1f0553cd2b190f88db95
-
Size
3.5MB
-
Sample
220222-m7ex9agae8
-
MD5
89626c3e855f2a1e61538b25eb67e164
-
SHA1
2aa6c18519a1e5ed7af47b13644b87dde12d89a2
-
SHA256
23f5da2cc1bb5df46b138d875ac4b64ea27aa27a2cbf1f0553cd2b190f88db95
-
SHA512
bb22d8fa114aa5ea662eb6837861afb3a053fca6587df077965d74f2fe8b3e98891888e2af01b0bab5f6e8329989a298810397614cf77b9669e4b88d33e17501
Static task
static1
Behavioral task
behavioral1
Sample
23f5da2cc1bb5df46b138d875ac4b64ea27aa27a2cbf1f0553cd2b190f88db95.exe
Resource
win7-en-20211208
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
redline
Liez
zisiarenal.xyz:80
Extracted
vidar
39.9
706
https://prophefliloc.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Targets
-
-
Target
23f5da2cc1bb5df46b138d875ac4b64ea27aa27a2cbf1f0553cd2b190f88db95
-
Size
3.5MB
-
MD5
89626c3e855f2a1e61538b25eb67e164
-
SHA1
2aa6c18519a1e5ed7af47b13644b87dde12d89a2
-
SHA256
23f5da2cc1bb5df46b138d875ac4b64ea27aa27a2cbf1f0553cd2b190f88db95
-
SHA512
bb22d8fa114aa5ea662eb6837861afb3a053fca6587df077965d74f2fe8b3e98891888e2af01b0bab5f6e8329989a298810397614cf77b9669e4b88d33e17501
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-