General
-
Target
fa104a88d04bb381e8f1993eaa559f77e4b7eae75daa54190b26e2c58523ce24.zip
-
Size
7.2MB
-
Sample
220613-ekt5nahgc6
-
MD5
923f52bbbe3a163fc0a4a87cd074bf11
-
SHA1
d07ab1b2813a1194a8317fb811d98a6cce93a6fd
-
SHA256
4c69490f8086cff194db7fdd814d9bcc54f6245389f66fd52a667704a1d240d0
-
SHA512
e2dd25f75a9f093bc9a949c919a117fdf2c1cd4786312a427d4ad9afae65c18499bc1a6de0f1a4cf5d48fbbebde98d88c2c3fe959a813c5db739b84dfe45ff04
Static task
static1
Behavioral task
behavioral1
Sample
fa104a88d04bb381e8f1993eaa559f77e4b7eae75daa54190b26e2c58523ce24.exe
Resource
win7-20220414-en
Malware Config
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/
Extracted
arkei
Default
Targets
-
-
Target
fa104a88d04bb381e8f1993eaa559f77e4b7eae75daa54190b26e2c58523ce24
-
Size
7.2MB
-
MD5
4b94dd9a273357df8aa448b98acb30da
-
SHA1
ec45188361a9eaf3035e3057e7dad27edee602a0
-
SHA256
fa104a88d04bb381e8f1993eaa559f77e4b7eae75daa54190b26e2c58523ce24
-
SHA512
662de391d3f05a700845df444a08facd988dfcc86f48b1b94415b33507fb6d45acd7392cb070b1eec3d162e1844c1ea6150722d59e85fe4ab6da16a27623117d
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars Payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-