General
-
Target
06863cb5bb52bd84799a527045ab9e296882c2f04e462c5c297da8dc3dadd497.zip
-
Size
9.6MB
-
Sample
220331-x584esghd6
-
MD5
6bb8159211be5fe4079acb4d4c23edaa
-
SHA1
ec567d6d11faff719850b54fd96e837567cb0f6d
-
SHA256
dd65b3d3254770a4a448222db48773c39bcd730126d6c65a1b9210ab3445020e
-
SHA512
d791f7101e75719ca0dce338e36843d40098bc9194f0d0c93cfbb2f7be34b67b5165a952ec0d5af7de11b5e240ef2bc87d27c325360e82cd9d4c32deb20b4ff4
Static task
static1
Behavioral task
behavioral1
Sample
06863cb5bb52bd84799a527045ab9e296882c2f04e462c5c297da8dc3dadd497.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
06863cb5bb52bd84799a527045ab9e296882c2f04e462c5c297da8dc3dadd497.exe
Resource
win10v2004-20220310-en
Malware Config
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
asyncrat
5.0.5
Venom Clients
116.203.252.195:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
true
-
install_file
svs.exe
-
install_folder
%AppData%
Extracted
redline
same
116.202.106.111:9582
-
auth_value
6fcb28e68ce71e9cfc2aae3ba5e92f33
Targets
-
-
Target
06863cb5bb52bd84799a527045ab9e296882c2f04e462c5c297da8dc3dadd497
-
Size
9.6MB
-
MD5
c869a2a9d6adbde8402790f7a884d8c9
-
SHA1
d5452604cb3819e95fd5b29361305ef2357079a2
-
SHA256
06863cb5bb52bd84799a527045ab9e296882c2f04e462c5c297da8dc3dadd497
-
SHA512
81e64fa0b7115c5e296cb2bb3d68142f16b9be5956bb5e3fa7c7264c0160e5b54c92d7c8ec9832cf69d82f7738eca52d756d46cd97fac99faa706db538cef700
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Async RAT payload
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-