Overview

overview

10

Static

static

42a21e28fb...86.exe

windows7_x64

10

42a21e28fb...86.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42a21e28fb46f5447eb49142619527858cc813ffe9b95995fb9cdfe1d534cb86

  • Size

    9.2MB

  • Sample

    220608-rcar9sebe6

  • MD5

    5ac42e560ef470e06c1b37de61b7e63b

  • SHA1

    42617894516357cdb0bb8433ac1ac0f805bb6977

  • SHA256

    42a21e28fb46f5447eb49142619527858cc813ffe9b95995fb9cdfe1d534cb86

  • SHA512

    7d66724b661dfbe5cf1e8e6409ee71be4871c27580635d10cde2279464b580fd706a7e852a2cd941d21decd14dcc0d2970088d7ded5dc47944a6f2e161196363

Score
10/10
redlinesocelarsxmrigallsupaws1privatosinfostealerminerstealervmprotect

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/

Extracted

Family

redline

Botnet

allsup

C2

193.150.103.38:5473

Attributes
  • auth_value

    e46711734d1a10599f62ed229e676578

Extracted

Family

redline

Botnet

PRIVATOS

C2

185.215.113.75:81

Attributes
  • auth_value

    5ea9b11f430f74fc81d40ef634ac1813

Extracted

Family

redline

Botnet

AWS1

C2

185.215.113.201:21921

Attributes
  • auth_value

    dcbfcd5e87fa5703eac546226d00771d

Targets

    • Target

      42a21e28fb46f5447eb49142619527858cc813ffe9b95995fb9cdfe1d534cb86

    • Size

      9.2MB

    • MD5

      5ac42e560ef470e06c1b37de61b7e63b

    • SHA1

      42617894516357cdb0bb8433ac1ac0f805bb6977

    • SHA256

      42a21e28fb46f5447eb49142619527858cc813ffe9b95995fb9cdfe1d534cb86

    • SHA512

      7d66724b661dfbe5cf1e8e6409ee71be4871c27580635d10cde2279464b580fd706a7e852a2cd941d21decd14dcc0d2970088d7ded5dc47944a6f2e161196363

    Score
    10/10
    redlinesocelarsallsupaws1privatosinfostealerstealervmprotectxmrigminer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks