General
-
Target
B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe
-
Size
6.3MB
-
Sample
220608-x9hf9saae5
-
MD5
18744d81b074ea24f489b58b430b7d9c
-
SHA1
d36bf939a4cf6ed710ff083306b8e3e20ed9e437
-
SHA256
b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34
-
SHA512
442936e022d224af2439fe66c88bd8b0cbd322d4070468eee4da91b1dc48360553fdb7a3bc6ef6a1da595931f607b79eb7a5fb10ea68431f19a3f1ff081422d1
Static task
static1
Behavioral task
behavioral1
Sample
B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe
Resource
win7-20220414-en
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
redline
media26
91.121.67.60:23325
-
auth_value
e37d5065561884bb54c8ed1baa6de446
Extracted
redline
pub2
185.215.113.46:80
-
auth_value
4a9525ed658ab62eaade23fdc4f4da23
Extracted
redline
chris
194.104.136.5:46013
-
auth_value
9491a1c5e11eb6097e68a4fa8627fda8
Extracted
djvu
http://zfko.org/test3/get.php
-
extension
.rrcc
-
offline_id
k2oZMtQS0H2U97b2eKTMJpROwYzEzq6KcWbdOut1
-
payload_url
http://zerit.top/dl/build2.exe
http://zfko.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-5JlAL7HXIu Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0492JIjdm
Targets
-
-
Target
B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe
-
Size
6.3MB
-
MD5
18744d81b074ea24f489b58b430b7d9c
-
SHA1
d36bf939a4cf6ed710ff083306b8e3e20ed9e437
-
SHA256
b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34
-
SHA512
442936e022d224af2439fe66c88bd8b0cbd322d4070468eee4da91b1dc48360553fdb7a3bc6ef6a1da595931f607b79eb7a5fb10ea68431f19a3f1ff081422d1
-
Detected Djvu ransomware
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
-
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-