Resubmissions
28-03-2022 07:58
220328-jty77adcdp 1025-03-2022 09:29
220325-lf232adhh3 125-03-2022 09:16
220325-k8tfxsaddl 1024-03-2022 20:10
220324-yx6trsdgg5 121-03-2022 09:00
220321-kyfgbaafh9 1021-03-2022 08:57
220321-kw1dpsafg5 420-03-2022 10:09
220320-l64pjscaen 1019-03-2022 11:38
220319-nr4gcaghhr 10General
-
Target
setup_x86_x64_install.zip
-
Size
6.2MB
-
Sample
220328-jty77adcdp
-
MD5
3569ac6e04296e88444d7ecf799c71b7
-
SHA1
79a7f1e0fed008058afa803bdcf3172379808309
-
SHA256
1cb6869826cf5ea749658c7622c8b4ecbcbb5c5e167ebc6623a01a0e0483e0f7
-
SHA512
3de27b865db8ae753ca012771c71ca5e49e83aa4ebbac339938f722cb04c276a09925c759e0eaacaa842e69fb90ec7fb23e77a6411d2b1bc9d0f7b352f8091c8
Static task
static1
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
redline
ANI
45.142.215.47:27643
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
vidar
40.6
706
https://dimonbk83.tumblr.com/
-
profile_id
706
Targets
-
-
Target
setup_x86_x64_install.exe
-
Size
6.2MB
-
MD5
d2f0cfac1c354f041c7b243f3df94d0a
-
SHA1
dfc03d06e799018485dc2dd72f997a0fef3d83a1
-
SHA256
3faadb2356253a3c76b42691c13dd3c05b0df75fbf543041bd7afc478b9a838c
-
SHA512
ed4b434001a16e0d81d59a5be9a26d31be8fb518ddc9e98dd22ca031761ab88ec9d4d479f11b2c0febfb90960061159836c806952d9e0c5cf9239654a5b7e6d6
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
OnlyLogger Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-