General
-
Target
7418326158.zip
-
Size
3.5MB
-
Sample
220504-1pvsmshdgr
-
MD5
357ef1fdcb7bf7a66b51a197ad38485c
-
SHA1
3acca6a8bc4d733089fe98feb50416dadeb98651
-
SHA256
469b2a19deab693e53b7ea3d2c26833067fe6be1b9493505091fd9f586c54fb0
-
SHA512
e279f69f11dcb552cf0d767d7c3329e70ccb018e0b2ac747ed635097b5f03b874574b5c1b8f44379b4a366e7bdcaeb183aa3c43ce91c544d6f3995b59e1a6bcc
Static task
static1
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
redline
jamesbig
65.108.20.195:6774
Extracted
vidar
41
706
https://mas.to/@killern0
-
profile_id
706
Extracted
smokeloader
2020
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
Targets
-
-
Target
1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15
-
Size
3.5MB
-
MD5
091972a4b28199a3dcf548286be0336c
-
SHA1
11b0289c1ad3c75c53b03e8945b21c8624d6166d
-
SHA256
1bcd1d1521d0879173fb5adfd51fad8b9100524dd6f46f79af757d8b4dc00c15
-
SHA512
b581051aae417d8f84331133e7d17dd468c942150c6e896f92c396184e4af588e7aef082e954e82892d92642be226a26fdd1df064ff2490e9dfbf842f68b57ea
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
OnlyLogger Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-