General
-
Target
42a21e28fb46f5447eb49142619527858cc813ffe9b95995fb9cdfe1d534cb86
-
Size
9.2MB
-
Sample
220608-rcar9sebe6
-
MD5
5ac42e560ef470e06c1b37de61b7e63b
-
SHA1
42617894516357cdb0bb8433ac1ac0f805bb6977
-
SHA256
42a21e28fb46f5447eb49142619527858cc813ffe9b95995fb9cdfe1d534cb86
-
SHA512
7d66724b661dfbe5cf1e8e6409ee71be4871c27580635d10cde2279464b580fd706a7e852a2cd941d21decd14dcc0d2970088d7ded5dc47944a6f2e161196363
Static task
static1
Behavioral task
behavioral1
Sample
42a21e28fb46f5447eb49142619527858cc813ffe9b95995fb9cdfe1d534cb86.exe
Resource
win7-20220414-en
Malware Config
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/
Extracted
redline
allsup
193.150.103.38:5473
-
auth_value
e46711734d1a10599f62ed229e676578
Extracted
redline
PRIVATOS
185.215.113.75:81
-
auth_value
5ea9b11f430f74fc81d40ef634ac1813
Extracted
redline
AWS1
185.215.113.201:21921
-
auth_value
dcbfcd5e87fa5703eac546226d00771d
Targets
-
-
Target
42a21e28fb46f5447eb49142619527858cc813ffe9b95995fb9cdfe1d534cb86
-
Size
9.2MB
-
MD5
5ac42e560ef470e06c1b37de61b7e63b
-
SHA1
42617894516357cdb0bb8433ac1ac0f805bb6977
-
SHA256
42a21e28fb46f5447eb49142619527858cc813ffe9b95995fb9cdfe1d534cb86
-
SHA512
7d66724b661dfbe5cf1e8e6409ee71be4871c27580635d10cde2279464b580fd706a7e852a2cd941d21decd14dcc0d2970088d7ded5dc47944a6f2e161196363
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-