General
-
Target
f0e3b390f12c8106b899adde4f2f472a995b57a6d5ea7eeebf3010b9a7983421
-
Size
181KB
-
Sample
220803-yxjn8sfhen
-
MD5
7308e5d30e06230d6d90036d07760124
-
SHA1
1464abeb5497dcddc708bb7c80257f66b7f0c641
-
SHA256
f0e3b390f12c8106b899adde4f2f472a995b57a6d5ea7eeebf3010b9a7983421
-
SHA512
258efed77ff08cf0f18b64fc4b5bdf699522037c6c347353e9612dde5590ed4094fa3e78c7be89acf8518c55db57edc0097ec746d5505f8d78959e8c35201f1d
Static task
static1
Malware Config
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Targets
-
-
Target
f0e3b390f12c8106b899adde4f2f472a995b57a6d5ea7eeebf3010b9a7983421
-
Size
181KB
-
MD5
7308e5d30e06230d6d90036d07760124
-
SHA1
1464abeb5497dcddc708bb7c80257f66b7f0c641
-
SHA256
f0e3b390f12c8106b899adde4f2f472a995b57a6d5ea7eeebf3010b9a7983421
-
SHA512
258efed77ff08cf0f18b64fc4b5bdf699522037c6c347353e9612dde5590ed4094fa3e78c7be89acf8518c55db57edc0097ec746d5505f8d78959e8c35201f1d
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-