General
-
Target
f8c94223320ddda3b79ffce767735276933694969fcd091819ec39ddc2b2bb30
-
Size
4.5MB
-
Sample
220315-rslvgacfh9
-
MD5
f746546d8142d223abc25c510f922f5a
-
SHA1
dfb1771213620fdba5264153d5dfd926ca481d89
-
SHA256
f8c94223320ddda3b79ffce767735276933694969fcd091819ec39ddc2b2bb30
-
SHA512
d89fc0f84eacb3eeb729185cb484fde9cf8dfe58639ad470c271279360c4daaba8edff8f17d276b4035ebfe4ed2a9f308e30c8eb3a57895edd59b0f4ec9982df
Static task
static1
Behavioral task
behavioral1
Sample
f8c94223320ddda3b79ffce767735276933694969fcd091819ec39ddc2b2bb30.exe
Resource
win7-20220310-en
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
Extracted
redline
Build1
45.142.213.135:30058
Targets
-
-
Target
f8c94223320ddda3b79ffce767735276933694969fcd091819ec39ddc2b2bb30
-
Size
4.5MB
-
MD5
f746546d8142d223abc25c510f922f5a
-
SHA1
dfb1771213620fdba5264153d5dfd926ca481d89
-
SHA256
f8c94223320ddda3b79ffce767735276933694969fcd091819ec39ddc2b2bb30
-
SHA512
d89fc0f84eacb3eeb729185cb484fde9cf8dfe58639ad470c271279360c4daaba8edff8f17d276b4035ebfe4ed2a9f308e30c8eb3a57895edd59b0f4ec9982df
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-