General
-
Target
i864x__setup__622bbc23f088c.zip
-
Size
6.3MB
-
Sample
220314-nfec3seeb7
-
MD5
5163f3272f4ef8c5a5b6c4a5a0ca36e5
-
SHA1
ce60d7779b53c3671d8922a5f05bcbfa31cd7734
-
SHA256
e95b255a652ac51d977ea179ababe0e4c652afe07a37f8a9afc324a640705927
-
SHA512
ca4d4d1f173c845ca6b076d455e20319bec61c688d2dcd33ab631297c573d257d423e37d732c3009d13dcd83f79e45369af7e9203fa37b3b92a0419f92efba7a
Static task
static1
Behavioral task
behavioral1
Sample
i864x__setup__622bbc23f088c.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
i864x__setup__622bbc23f088c.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
Extracted
smokeloader
2020
http://coralee.at/upload/
http://ducvietcao.com/upload/
http://biz-acc.ru/upload/
http://toimap.com/upload/
http://bbb7d.com/upload/
http://piratia-life.ru/upload/
http://curvreport.com/upload/
http://viagratos.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
redline
media1120112
92.255.57.154:11841
-
auth_value
2948163485fe8e04db7acc17e8a19406
Extracted
redline
ww
193.106.191.67:44400
-
auth_value
5a1b28ccd05953f5c3f99729c12427cc
Targets
-
-
Target
i864x__setup__622bbc23f088c.exe
-
Size
6.4MB
-
MD5
42c477e367dca72c9794c8c1564dcfd8
-
SHA1
224b760e32e56b7047f35c76ba9959b9f406c804
-
SHA256
feba9bf42249bc45378ea0c07e476dc7bbf2ec9665db5981757d37b75ebab3ca
-
SHA512
f77555ef2492ac1ad9dc0b0dae7c74364f8e42daadcbb564435b105dacc316e9817ee1a30987adf55870833fe1e219776411cc8d5f4aa5a6c9dc046aa861bb4e
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-