General
-
Target
2a66d497a4ca3710cad6097360bee5fdbfc9da5d380e572ff36ed35750cfdc8c
-
Size
339KB
-
Sample
220804-erp5aabgfm
-
MD5
e5eb0f1dba3392bb2cfd45b0c7d7eb87
-
SHA1
da53c8e24e7d61d8612d87c602685fa29e78c5c8
-
SHA256
2a66d497a4ca3710cad6097360bee5fdbfc9da5d380e572ff36ed35750cfdc8c
-
SHA512
91c92731cd4dabcedcef462d50622a6aedc0337ade4a8d4d5ff567d715814ea48b625fe975845ca97da6c92fc358a979836cea243ae0fc75ccf0ff11c7b835dc
Static task
static1
Malware Config
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Targets
-
-
Target
2a66d497a4ca3710cad6097360bee5fdbfc9da5d380e572ff36ed35750cfdc8c
-
Size
339KB
-
MD5
e5eb0f1dba3392bb2cfd45b0c7d7eb87
-
SHA1
da53c8e24e7d61d8612d87c602685fa29e78c5c8
-
SHA256
2a66d497a4ca3710cad6097360bee5fdbfc9da5d380e572ff36ed35750cfdc8c
-
SHA512
91c92731cd4dabcedcef462d50622a6aedc0337ade4a8d4d5ff567d715814ea48b625fe975845ca97da6c92fc358a979836cea243ae0fc75ccf0ff11c7b835dc
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-