General
-
Target
5824492879904768.zip
-
Size
170KB
-
Sample
220307-wpvenaadep
-
MD5
cad87a095910a87a0dfbef6b75b2266d
-
SHA1
18ea6cf536e2c7b080dcecda814cd93a18b3be23
-
SHA256
39c18be9542c5a330c19ed08c1cc5cb8922d872f602ae13fb4a42d4cc6784883
-
SHA512
032bff118a2700a61a740b6ca15f477c5b11ed908f35cd0f2ff4f68c908377b14ce70f309ee8ec4f5a068866473dff61ec7aac18691df48a2281461fc5453796
Static task
static1
Behavioral task
behavioral1
Sample
b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
redline
ebat222
86.107.197.196:63065
-
auth_value
ecf32695315360a0175d49dc2111348d
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
Extracted
redline
ruzki
91.240.118.93:32076
-
auth_value
2cd038d80ba390a568e2a7578eb682e2
Extracted
redline
600$5
193.38.235.192:43770
-
auth_value
dd54f25665dc6af5439959d34a36bf6b
Extracted
vidar
50.4
937
https://mastodon.online/@samsa11
https://koyu.space/@samsa2l
-
profile_id
937
Extracted
raccoon
70547732dfb73df035666996b327b1732a45ccce
-
url4cnc
http://185.163.204.119/sonicodic
http://206.189.100.203/sonicodic
http://194.180.191.234/sonicodic
http://185.163.204.216/sonicodic
http://139.162.157.205/sonicodic
http://185.163.47.176/sonicodic
https://t.me/sonicodic
Extracted
redline
ruzki (check bio)
103.133.111.182:44839
-
auth_value
767fa45398d3ac4a23de20d0480c2b03
Targets
-
-
Target
b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9
-
Size
229KB
-
MD5
42c371e393e888b8ff2e0c2f24193ee9
-
SHA1
7b04c28fd946374f76f6940ab7ce62ea5aadb85c
-
SHA256
b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9
-
SHA512
441f8a8f5aab639ce88b4f9c913a9a90647ef91dbcdd73362625d0733468f4752f7359cb72d2496a2eb43b19cb411c33d17c9422c04c19c20ee089df4ae8de8e
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
OnlyLogger Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-