General
-
Target
setup__files.zip
-
Size
7.4MB
-
Sample
220604-nybpxaaccm
-
MD5
7f2905bcfde9f3e0bca5be4e62ca6b05
-
SHA1
007e8fde46ad0c30d4cb13c0dbaf03659fbc8522
-
SHA256
c47ed735f510e5df415c1c0cec0f7108897f0f792f4a7736e4ed4671aca3e3c1
-
SHA512
78f95af43eaa2040453f626aff77ebde7e7cdfb28efbc07a1d1f17c53d6ce509fccce40aa9260758b9d8e50c3f15bdd74231a42944de180a2d75f85e9932f525
Static task
static1
Behavioral task
behavioral1
Sample
install_setup.exe
Resource
win7-20220414-en
Malware Config
Extracted
socelars
https://iplogger.org/1NsYz7/
https://iplogger.org/1ibws7/
https://iplogger.org/1XJq97/
https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/
Extracted
redline
newmedia
141.95.211.151:24029
-
auth_value
1357621094eca5effbae54426cf56251
Extracted
amadey
3.20
marobast.ws/b3m2fVVs0/index.php
pinedisc.ws/b3m2fVVs0/index.php
generiba.ws/b3m2fVVs0/index.php
Targets
-
-
Target
install_setup.exe
-
Size
7.4MB
-
MD5
11b61f379a2946224854e1a22bf87483
-
SHA1
35976ccdc24c993875238c7d46592e5f26863c4f
-
SHA256
2fad80640248ef14d7c7759ae16ade3b8953120ead22a6397d12cc8a9559b424
-
SHA512
d2eae45e8c32aaf7ff96e626b541b9cc75879e2c0de724bf186788ed7343ede962f3c116ddadda59be65b2f469a138789ce1c683fd5f8bd3b3854953daa70148
-
Detect Amadey credential stealer module
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-