General
-
Target
96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.zip
-
Size
9.7MB
-
Sample
220331-saf2yadef7
-
MD5
40c8505ae953230b7df57cd41ff9b958
-
SHA1
561cf900de177b402c608af14fdcae6bd23c728f
-
SHA256
6d42b89a86c2e85f79f6652889209d14c641cde35d7a8c43fc7ea6a657f80957
-
SHA512
1442b879b609a6b220cf297970a1d52ac1cf43ee06e4cbbbf0c877b873b2fbf432653ca013ec1ebbbfa3a21ae7919b62ca194eb55ab15eee96f909413e9bebf2
Static task
static1
Behavioral task
behavioral1
Sample
96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a.exe
Resource
win10v2004-20220310-en
Malware Config
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://gerer.at/upload/
http://pass-finger.com/upload/
http://meet-ru.ru/upload/
http://elroisolutions.com/upload/
http://gebzetuning.com/upload/
http://les-pub.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
http://autocarsjames.com/upload/
Extracted
asyncrat
5.0.5
Venom Clients
116.203.252.195:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
true
-
install_file
svs.exe
-
install_folder
%AppData%
Extracted
redline
same
116.202.106.111:9582
-
auth_value
6fcb28e68ce71e9cfc2aae3ba5e92f33
Targets
-
-
Target
96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a
-
Size
9.7MB
-
MD5
ac5ac3dc9105407cdcea292bbb1e2282
-
SHA1
91ba4cf7e046e1ec164ea4e7ac930daa8aefb1e6
-
SHA256
96b2519e5fb8dba738fa1abc23712b589d0a06ecdb6690045c769ab52420bd0a
-
SHA512
dd3bbe1e448b7de46e6fa085d28404075d8c4b01bceddc7d558bcb7c2c7ce9941eac0bd3b064ee2e04eac422dbd04ca3678caa4c1decb1c85507069963dbd525
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Async RAT payload
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-