General
-
Target
24D4DAEDBA9B8060BF0D09B4383849B69E8D1741C3FFA.exe
-
Size
7.1MB
-
Sample
220520-wnk5labdg3
-
MD5
8ac2aa386d2ab6edb792785243dbde6b
-
SHA1
69680a99121d56023816bd8cb7218d0a320b8745
-
SHA256
24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
-
SHA512
5dec0c8cd026b585575dcd8ba85d4ad7b137c5131928b20c316714b92558a98726b6d082318091a8c6a989c5450ec57be8e1580936a4b9e3104e1b165b544f75
Static task
static1
Behavioral task
behavioral1
Sample
24D4DAEDBA9B8060BF0D09B4383849B69E8D1741C3FFA.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
24D4DAEDBA9B8060BF0D09B4383849B69E8D1741C3FFA.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
redline
media24pns
65.108.69.168:13293
-
auth_value
f4347dfa36c469293073389229d591a9
Extracted
redline
userv1
159.69.246.184:13127
-
auth_value
1c36bfa23099b197f07410a64d4c862e
Targets
-
-
Target
24D4DAEDBA9B8060BF0D09B4383849B69E8D1741C3FFA.exe
-
Size
7.1MB
-
MD5
8ac2aa386d2ab6edb792785243dbde6b
-
SHA1
69680a99121d56023816bd8cb7218d0a320b8745
-
SHA256
24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
-
SHA512
5dec0c8cd026b585575dcd8ba85d4ad7b137c5131928b20c316714b92558a98726b6d082318091a8c6a989c5450ec57be8e1580936a4b9e3104e1b165b544f75
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-