General
-
Target
F735CF911B0F9914977D9DA28E834447E4100EC8A2D5E.exe
-
Size
7.3MB
-
Sample
220725-yytwladcb7
-
MD5
36b5244e8e59d91dd8a1a9d128e77669
-
SHA1
b8011c51aeb9e7e48fb851dfa50adb5dcba91219
-
SHA256
f735cf911b0f9914977d9da28e834447e4100ec8a2d5e7d93200698315738cbd
-
SHA512
1834766b9a45b03f09216f4530d9049b9695439b6109f119122e2fb1bb60b9342bc1d3bfa30bcb71f23ef970c738dc98b09eccf7e1e459ce186d9eeb839f1812
Static task
static1
Behavioral task
behavioral1
Sample
F735CF911B0F9914977D9DA28E834447E4100EC8A2D5E.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
F735CF911B0F9914977D9DA28E834447E4100EC8A2D5E.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/eurfrsa613/
Extracted
nymaim
37.0.8.39
31.210.20.149
212.192.241.16
208.67.104.9
Extracted
redline
newtest
141.95.211.151:24029
-
auth_value
a0bf37a209b865355f69bcfed901687e
Extracted
redline
@tag12312341
62.204.41.144:14096
-
auth_value
71466795417275fac01979e57016e277
Extracted
redline
4
31.41.244.134:11643
-
auth_value
a516b2d034ecd34338f12b50347fbd92
Extracted
redline
nam3
103.89.90.61:18728
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
https://t.me/insttailer
185.199.224.90:37143
-
auth_value
1e73e022970e3ad55c62cb5010e7599b
Targets
-
-
Target
F735CF911B0F9914977D9DA28E834447E4100EC8A2D5E.exe
-
Size
7.3MB
-
MD5
36b5244e8e59d91dd8a1a9d128e77669
-
SHA1
b8011c51aeb9e7e48fb851dfa50adb5dcba91219
-
SHA256
f735cf911b0f9914977d9da28e834447e4100ec8a2d5e7d93200698315738cbd
-
SHA512
1834766b9a45b03f09216f4530d9049b9695439b6109f119122e2fb1bb60b9342bc1d3bfa30bcb71f23ef970c738dc98b09eccf7e1e459ce186d9eeb839f1812
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Socelars payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-