General
-
Target
20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49
-
Size
3.6MB
-
Sample
220612-lzpxtagahk
-
MD5
d1d52827f917a0ac5604e6d32835093c
-
SHA1
6e615f013f5ccda98199eadfd8cef500e58d1fc0
-
SHA256
20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49
-
SHA512
0f3aeb8c1951c2548b16433037e11a22cb3119567a8ad1477a19ab57105e201736fdf749dc13d387e9a874acef313ddcaf5942cbc3a4f81037a0e95db31a82ce
Static task
static1
Behavioral task
behavioral1
Sample
20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
Resource
win7-20220414-en
Malware Config
Extracted
socelars
http://www.chosenncrowned.com/
Extracted
redline
Update
185.215.113.10:32605
-
auth_value
910ca2116f2e220a6801edd5a725ab65
Extracted
vidar
49.4
933
https://mastodon.online/@banda1ker
https://koyu.space/@banda2ker
-
profile_id
933
Targets
-
-
Target
20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49
-
Size
3.6MB
-
MD5
d1d52827f917a0ac5604e6d32835093c
-
SHA1
6e615f013f5ccda98199eadfd8cef500e58d1fc0
-
SHA256
20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49
-
SHA512
0f3aeb8c1951c2548b16433037e11a22cb3119567a8ad1477a19ab57105e201736fdf749dc13d387e9a874acef313ddcaf5942cbc3a4f81037a0e95db31a82ce
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
OnlyLogger Payload
-
Vidar Stealer
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-