General
-
Target
233d4866005f2d3de0169af6396e54c6843e5d3148301873e0844b3448a1628f
-
Size
266KB
-
Sample
220912-2f384aaafp
-
MD5
e0a0e6731ec961521947e71f2925ece7
-
SHA1
b805f8bf024ca5957c4d6dec080267d7566cd01f
-
SHA256
233d4866005f2d3de0169af6396e54c6843e5d3148301873e0844b3448a1628f
-
SHA512
cc0f888e59f749a3f42661875e8e3e3f4947cc4da7506d5699c76422b258b8c2361607d02aaa24525fdfa5c424cbe47b7eaa2076bfe62cc1f69dede951feb04b
-
SSDEEP
6144:gg3JpEviTnmdlLE9ty0MPbZMppz3Or4x4NTdmxK:zP6iTnCFE9ty0MPajzOr4x4NT7
Static task
static1
Behavioral task
behavioral1
Sample
233d4866005f2d3de0169af6396e54c6843e5d3148301873e0844b3448a1628f.exe
Resource
win10-20220812-en
Malware Config
Extracted
redline
bits
78.153.144.84:27027
-
auth_value
afc8a7054292ba8aa16820b581e6e054
Extracted
socelars
https://dfgrthres.s3.eu-west-3.amazonaws.com/asdhs909/
Targets
-
-
Target
233d4866005f2d3de0169af6396e54c6843e5d3148301873e0844b3448a1628f
-
Size
266KB
-
MD5
e0a0e6731ec961521947e71f2925ece7
-
SHA1
b805f8bf024ca5957c4d6dec080267d7566cd01f
-
SHA256
233d4866005f2d3de0169af6396e54c6843e5d3148301873e0844b3448a1628f
-
SHA512
cc0f888e59f749a3f42661875e8e3e3f4947cc4da7506d5699c76422b258b8c2361607d02aaa24525fdfa5c424cbe47b7eaa2076bfe62cc1f69dede951feb04b
-
SSDEEP
6144:gg3JpEviTnmdlLE9ty0MPbZMppz3Or4x4NTdmxK:zP6iTnCFE9ty0MPajzOr4x4NT7
-
Detected Djvu ransomware
-
Detects Smokeloader packer
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-