General

  • Target

    5213534839013376.zip

  • Size

    7.0MB

  • Sample

    220302-1typ4agda7

  • MD5

    427e7b72d31cf76f2f36deb3eb762cc4

  • SHA1

    08be2960808aa7cde50c5806d5d8aafb8363ca8d

  • SHA256

    a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb

  • SHA512

    9a5370c8a928f09ba28afe01f7f01587cb734f5ace6225400812ecbed38910f5e67f7e6499a21cee63fa7c1cd158010385ad3a69b18f63c12b75f29ec356d71d

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/

Extracted

Family

redline

Botnet

alltop

C2

deyneyab.xyz:80

Attributes
  • auth_value

    6fadc2b44b16945c8f721b77e484a725

Extracted

Family

redline

Botnet

allsup

C2

193.150.103.37:81

Attributes
  • auth_value

    e46711734d1a10599f62ed229e676578

Extracted

Family

redline

Botnet

media60603

C2

92.255.57.154:11841

Attributes
  • auth_value

    32ca3353c43f67b3879fce4660e9c65d

Targets

    • Target

      0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6

    • Size

      7.1MB

    • MD5

      1f6e0a406d4d8dbd2c113d3565dbe7a8

    • SHA1

      dc5a439e7a0e918494c1065fe15d4bbe2b9b33be

    • SHA256

      0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6

    • SHA512

      59310d8756a63d7df6c05a6ae78721d8339913bca4b47e076a60cdc95071bd690648c1e298bd29510fc252d813a0ea3dc05d7cdf07ef243770722d4fe1b8e59c

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks