General
-
Target
http://crackdj.com
-
Sample
220225-q7zt7sgcf9
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://crackdj.com
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
http://crackdj.com
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
http://crackdj.com
Resource
win10v2004-en-20220112
Behavioral task
behavioral4
Sample
http://crackdj.com
Resource
win11-20220223-en
Malware Config
Extracted
socelars
https://frertge.s3.eu-west-2.amazonaws.com/asdhbf/
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://pjure.at/upload/
http://puffersweiven.com/upload/
http://algrcabel.ru/upload/
http://pelangiqq99.com/upload/
http://elsaunny.com/upload/
http://korphoto.com/upload/
http://hangxachtaythodoan.com/upload/
http://pkodev.net/upload/
http://go-piratia.ru/upload/
http://piratia.su/upload/
Extracted
icedid
2715004312
Targets
-
-
Target
http://crackdj.com
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
OnlyLogger Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-