Resubmissions
28-03-2022 07:58
220328-jty77adcdp 1025-03-2022 09:29
220325-lf232adhh3 125-03-2022 09:16
220325-k8tfxsaddl 1024-03-2022 20:10
220324-yx6trsdgg5 121-03-2022 09:00
220321-kyfgbaafh9 1021-03-2022 08:57
220321-kw1dpsafg5 420-03-2022 10:09
220320-l64pjscaen 1019-03-2022 11:38
220319-nr4gcaghhr 10General
-
Target
setup_x86_x64_install.zip
-
Size
6.2MB
-
Sample
220319-l1dwyafdfm
-
MD5
3569ac6e04296e88444d7ecf799c71b7
-
SHA1
79a7f1e0fed008058afa803bdcf3172379808309
-
SHA256
1cb6869826cf5ea749658c7622c8b4ecbcbb5c5e167ebc6623a01a0e0483e0f7
-
SHA512
3de27b865db8ae753ca012771c71ca5e49e83aa4ebbac339938f722cb04c276a09925c759e0eaacaa842e69fb90ec7fb23e77a6411d2b1bc9d0f7b352f8091c8
Static task
static1
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
redline
ANI
45.142.215.47:27643
Extracted
vidar
40.6
706
https://dimonbk83.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
vidar
50.9
1177
https://ieji.de/@sam7al
https://busshi.moe/@sam0al
-
profile_id
1177
Extracted
redline
nam22
103.133.111.182:44839
-
auth_value
3f8eb78d92dc3090929f5d0a3202a25f
Targets
-
-
Target
setup_x86_x64_install.exe
-
Size
6.2MB
-
MD5
d2f0cfac1c354f041c7b243f3df94d0a
-
SHA1
dfc03d06e799018485dc2dd72f997a0fef3d83a1
-
SHA256
3faadb2356253a3c76b42691c13dd3c05b0df75fbf543041bd7afc478b9a838c
-
SHA512
ed4b434001a16e0d81d59a5be9a26d31be8fb518ddc9e98dd22ca031761ab88ec9d4d479f11b2c0febfb90960061159836c806952d9e0c5cf9239654a5b7e6d6
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
OnlyLogger Payload
-
Vidar Stealer
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-