General
-
Target
0ee6c0c3125b0fa3de7485ba25ce5f83.exe
-
Size
756KB
-
Sample
220511-l5mpmsbabq
-
MD5
0ee6c0c3125b0fa3de7485ba25ce5f83
-
SHA1
5bfd848feabd6cb1fe1fd068d2ff98aca16412a2
-
SHA256
63581ae3a6484a00bb415bdc2105a1256fb9929a7cb3ef9bcce1b141bb99bf7f
-
SHA512
49db6bee7bf07d3b5efb9cf917b3bfbcf647720cfafa27b951a882a99a59109bd0d088e96db0c8a3eb6600a1cb18b079f12c583ffada61923049acf2d0438c7e
Static task
static1
Behavioral task
behavioral1
Sample
0ee6c0c3125b0fa3de7485ba25ce5f83.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0ee6c0c3125b0fa3de7485ba25ce5f83.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/hfber54/
Extracted
vidar
52
1281
https://t.me/hollandracing
https://busshi.moe/@ronxik321
-
profile_id
1281
Extracted
redline
jl1
cenyeyalory.xyz:80
kaiaiannial.xyz:80
viasanainah.xyz:80
xtelstasiup.xyz:80
-
auth_value
f786004058a413f14305babf63c56c62
Targets
-
-
Target
0ee6c0c3125b0fa3de7485ba25ce5f83.exe
-
Size
756KB
-
MD5
0ee6c0c3125b0fa3de7485ba25ce5f83
-
SHA1
5bfd848feabd6cb1fe1fd068d2ff98aca16412a2
-
SHA256
63581ae3a6484a00bb415bdc2105a1256fb9929a7cb3ef9bcce1b141bb99bf7f
-
SHA512
49db6bee7bf07d3b5efb9cf917b3bfbcf647720cfafa27b951a882a99a59109bd0d088e96db0c8a3eb6600a1cb18b079f12c583ffada61923049acf2d0438c7e
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE Observed Malicious Filename in Outbound POST Request (Browsers/Cookies/Microsoft Edge_)
suricata: ET MALWARE Observed Malicious Filename in Outbound POST Request (Browsers/Cookies/Microsoft Edge_)
-
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
-
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-