Overview

overview

10

Static

static

0491bc5f72...c6.exe

windows7_x64

10

0491bc5f72...c6.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5213534839013376.zip

  • Size

    7.0MB

  • Sample

    220302-1typ4agda7

  • MD5

    427e7b72d31cf76f2f36deb3eb762cc4

  • SHA1

    08be2960808aa7cde50c5806d5d8aafb8363ca8d

  • SHA256

    a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb

  • SHA512

    9a5370c8a928f09ba28afe01f7f01587cb734f5ace6225400812ecbed38910f5e67f7e6499a21cee63fa7c1cd158010385ad3a69b18f63c12b75f29ec356d71d

Score
10/10
redlinesocelarsallsupalltopmedia60603aspackv2discoveryinfostealerspywarestealerupx

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/

Extracted

Family

redline

Botnet

alltop

C2

deyneyab.xyz:80

Attributes
  • auth_value

    6fadc2b44b16945c8f721b77e484a725

Extracted

Family

redline

Botnet

allsup

C2

193.150.103.37:81

Attributes
  • auth_value

    e46711734d1a10599f62ed229e676578

Extracted

Family

redline

Botnet

media60603

C2

92.255.57.154:11841

Attributes
  • auth_value

    32ca3353c43f67b3879fce4660e9c65d

Targets

    • Target

      0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6

    • Size

      7.1MB

    • MD5

      1f6e0a406d4d8dbd2c113d3565dbe7a8

    • SHA1

      dc5a439e7a0e918494c1065fe15d4bbe2b9b33be

    • SHA256

      0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6

    • SHA512

      59310d8756a63d7df6c05a6ae78721d8339913bca4b47e076a60cdc95071bd690648c1e298bd29510fc252d813a0ea3dc05d7cdf07ef243770722d4fe1b8e59c

    Score
    10/10
    socelarsaspackv2stealerredlineallsupalltopmedia60603discoveryinfostealerspywareupx

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks