General
-
Target
20e1834814a6c07cbc793ea74c90e52c27cfb2769c6279a67f2d35c269ac6df4.zip
-
Size
11.0MB
-
Sample
220629-txhpqabaer
-
MD5
a65ce5c242deb59447163f17fda78a73
-
SHA1
a5c0961a96692ef115c58902d81440e5d421a1df
-
SHA256
ee425dd892ad9a6c7ac05c28c7beedc75415f2f1f52839910615f2993348a549
-
SHA512
03b4d48c993ee3d6d4f2b9217c181928c75a35c43e39902c85c066b9a64c5c0743c9b8d048d2ee2b0b206c895b31c9ddc1047de50d733a41da0628983cb49e8c
Static task
static1
Behavioral task
behavioral1
Sample
20e1834814a6c07cbc793ea74c90e52c27cfb2769c6279a67f2d35c269ac6df4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
20e1834814a6c07cbc793ea74c90e52c27cfb2769c6279a67f2d35c269ac6df4.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
Extracted
raccoon
5d97af5558068676fa56398795dfd9bdef881238
-
url4cnc
http://174.138.11.98/ademup
http://194.180.191.44/ademup
http://91.219.236.120/ademup
https://t.me/ademup
Targets
-
-
Target
20e1834814a6c07cbc793ea74c90e52c27cfb2769c6279a67f2d35c269ac6df4
-
Size
11.1MB
-
MD5
d2eea7e948e24d64a97d94f4391f3993
-
SHA1
cd8bf25bf90ffcdc3a4f31e7967555e3be1b6abf
-
SHA256
20e1834814a6c07cbc793ea74c90e52c27cfb2769c6279a67f2d35c269ac6df4
-
SHA512
21c21eb5641b13339349314dc5648dc3a1eddb93f3d349f47e34210ec4855f90eb56f5df70d5dfc368ad37135473eb274d85647450b62d775a9b0aaf7f3f1cf9
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-