Overview
overview
10Static
static
10Files.exe
windows7_x64
10Files.exe
windows10-2004_x64
10KRSetp.exe
windows7_x64
6KRSetp.exe
windows10-2004_x64
6agdsk.exe
windows7_x64
10agdsk.exe
windows10-2004_x64
10jg4_4jaa.exe
windows7_x64
7jg4_4jaa.exe
windows10-2004_x64
7pub2.exe
windows7_x64
10pub2.exe
windows10-2004_x64
10pzyh.exe
windows7_x64
8pzyh.exe
windows10-2004_x64
8wf-game.exe
windows7_x64
10wf-game.exe
windows10-2004_x64
7General
-
Target
a4ff0954cdad7803ed827b73d63198b4f30a3a2eb46baf94bd99c69761a65ce6
-
Size
2.9MB
-
Sample
220408-rcv37sddd9
-
MD5
aac9a5744455124b197b7ea300c442dc
-
SHA1
0b51e598edcdde4d11fa02e7146229ca7a93c2b0
-
SHA256
a4ff0954cdad7803ed827b73d63198b4f30a3a2eb46baf94bd99c69761a65ce6
-
SHA512
bd66285d9f0f45c3323bc2520898ba307f47b6892a9a2d9de3a3a1eec178a7edf7c27f72b156fd50bb9e0f21ae0719ff440a1a196b5cb24506671fc614341ad2
Static task
static1
Behavioral task
behavioral1
Sample
Files.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
Files.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral3
Sample
KRSetp.exe
Resource
win7-20220331-en
Behavioral task
behavioral4
Sample
KRSetp.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral5
Sample
agdsk.exe
Resource
win7-20220331-en
Behavioral task
behavioral6
Sample
agdsk.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral7
Sample
jg4_4jaa.exe
Resource
win7-20220331-en
Behavioral task
behavioral8
Sample
jg4_4jaa.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral9
Sample
pub2.exe
Resource
win7-20220331-en
Behavioral task
behavioral10
Sample
pub2.exe
Resource
win10v2004-20220331-en
Behavioral task
behavioral11
Sample
pzyh.exe
Resource
win7-20220331-en
Behavioral task
behavioral12
Sample
pzyh.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral13
Sample
wf-game.exe
Resource
win7-20220331-en
Behavioral task
behavioral14
Sample
wf-game.exe
Resource
win10v2004-20220331-en
Malware Config
Extracted
socelars
http://www.fddnice.pw/
http://www.sokoinfo.pw/
http://www.zzhlike.pw/
http://www.wygexde.xyz/
Extracted
redline
v1
199.195.251.96:43073
Extracted
smokeloader
2020
http://al-commandoz.com/upload/
http://antalya-belek.com/upload/
http://luxurysv.com/upload/
http://massagespijkenisse.com/upload/
http://rexgorellhondaevent.com/upload/
Targets
-
-
Target
Files.exe
-
Size
480KB
-
MD5
04251d7ea41e3c1906bcc0bc29a37e15
-
SHA1
4a8b321bdcb9c4e5fe93e0bca8ea1cbd4143e377
-
SHA256
c0f34b639fa12e2fd29e39092e3b2e14b9c41d4bd7c69a42478b1834094fa2df
-
SHA512
04a283488ae01837f9a733c8d71a645e849dd2a32ec8f67ea351582bc2604049751c6b6cacfa342f02c2f8701540ac4b2cdab162936a79a1d9d42a00f16df8fb
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
KRSetp.exe
-
Size
163KB
-
MD5
aeeeb778afcc78fa80f64a199a49cdb4
-
SHA1
873b799fe828862861f02258d36a66a9664c0a95
-
SHA256
27decb456b65dee3d232a0f04b92976428d8aa26ec25fe26b3bb3dfc2b05c146
-
SHA512
9aba8b5f3cdf293fadba07ebb502cd8b9888f405be0ece794a1bd6d883a98ca32561e905efa8c7f1fffd38cddec0bab61db42b12a5690cc34564cd7340605691
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
agdsk.exe
-
Size
1.4MB
-
MD5
53f9570b38f020cfca3f1ff6c274ad3d
-
SHA1
96910fbf8a83816c804e2e0daf70d6fcdcc11657
-
SHA256
32ac26c29131d682d7d02accf5235858e249f792b76e5a34b153f05a3c97e391
-
SHA512
5e86af31fe8f9f09fc510fdb593adc4d4b7bf6fb02c8deec9c157acbd4c248e7a62d2f90eedfd396e9c8b2dd2429486561a7742e38eb64fe3e2b9874d3b0edb3
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
jg4_4jaa.exe
-
Size
1.0MB
-
MD5
71e6d5725a4495e73c3988a7d61641da
-
SHA1
d087800fd4b040bb346143e496fb816fec18bf68
-
SHA256
adf7cacf624f929ba9b510d7712f3bb0fcfce8ebf7fb63316e84461cedb4ea18
-
SHA512
6ce416b305b08df894f41577c89c392ea9e3180cacbdb70a1a9f80b94832ed21b3d66a6136d479df791b70532bbcd7f0cb290ff2a88991c72eca9fddca1f9e6b
-
-
-
Target
pub2.exe
-
Size
283KB
-
MD5
8c0833558105d214596567678d709c08
-
SHA1
673729d6b72a569c78e7ae4afc3330d76a567ffe
-
SHA256
d19440fdd9ab41733825f73985f1b1ada5c1cd8c949c88ca28d92b470cda1f89
-
SHA512
e1a0e041a4a69b44283f828f7abd4bfb1924bfaf0d352a8ee1d104359d8d8c53de0a8f07a7c9c411c6e3c9b668936884bed9d54890e5c38ec678f9045fc3fe11
Score10/10-
Loads dropped DLL
-
-
-
Target
pzyh.exe
-
Size
975KB
-
MD5
8cbde3982249e20a6f564eb414f06fe4
-
SHA1
6d040b6c0f9d10b07f0b63797aa7bfabf0703925
-
SHA256
4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83
-
SHA512
d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
wf-game.exe
-
Size
702KB
-
MD5
56f7f9da6ff4124d52bf27f0116e5811
-
SHA1
7a19ec49d23a71b47ad507793e6afc53139b5d78
-
SHA256
1fd100eb0aa9348af79f35abb29990b7c1ced997016da20316f94bdb6cca8944
-
SHA512
0c7372f9ac72c5db7de658b80cfe9186cce4fee52f46aaf10efa3eb15d0133a2b5fd9c85984ef63f7b79e0787490ad2814cee01dc749a9ac90291d52b41b7fcf
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-