Overview

overview

10

Static

static

C9A7B309D4...8E.exe

windows7_x64

10

C9A7B309D4...8E.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C9A7B309D45200B0629A168424AF7D8E.exe

  • Size

    16.4MB

  • Sample

    220410-nc45bsdcd5

  • MD5

    c9a7b309d45200b0629a168424af7d8e

  • SHA1

    1f84cab6835a76efc403fe1a0d22522e8dfa1581

  • SHA256

    01eb1d6a490eebc96fd6b919ae7eb836932a329b66eae022356b5f57acc87686

  • SHA512

    1068073ded0438e1e6cc6f54bf1edb0421f2c4e8cb4362e548af8a376bfe69290900d905e06a855ca4f8b9eb51062af06348b3e109ce18659ef7c245cf75d46e

Score
10/10
loaderbotredlinesocelars123discoveryevasioninfostealerloaderminerpersistencespywarestealertrojanvmprotect

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/vsdh41/

Extracted

Family

redline

Botnet

123

C2

188.68.205.12:7053

Attributes
  • auth_value

    cba3087b3c1a6a9c43b3f96591452ea2

Targets

    • Target

      C9A7B309D45200B0629A168424AF7D8E.exe

    • Size

      16.4MB

    • MD5

      c9a7b309d45200b0629a168424af7d8e

    • SHA1

      1f84cab6835a76efc403fe1a0d22522e8dfa1581

    • SHA256

      01eb1d6a490eebc96fd6b919ae7eb836932a329b66eae022356b5f57acc87686

    • SHA512

      1068073ded0438e1e6cc6f54bf1edb0421f2c4e8cb4362e548af8a376bfe69290900d905e06a855ca4f8b9eb51062af06348b3e109ce18659ef7c245cf75d46e

    Score
    10/10
    redlinesocelars123discoveryevasioninfostealerpersistencespywarestealertrojanvmprotectloaderbotloaderminer

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks