General
-
Target
592ae0c8dc2a2895a4dc6d44465d45bd44d6b7596bd60e9862b942c8d03e594e
-
Size
265KB
-
Sample
220912-3lch1aedb7
-
MD5
c2c2dac3745bf4298068ba62eaff1617
-
SHA1
7be6fc92d73c13c47f1e1abbf8cc3ead7b13a615
-
SHA256
592ae0c8dc2a2895a4dc6d44465d45bd44d6b7596bd60e9862b942c8d03e594e
-
SHA512
a4faa70e6ba989b73528c5d959af7fd8b8bd1aefdbf2ff412336fb2cd96ee13ca6ea05f8a7f143e2a5712984b027b4567c07b98e35ddac491c73e6dd6f2e5394
-
SSDEEP
3072:HGl7nSf8FWmbF+y5lReiKgBOPFlKcvqSBHaSGzw87xq9JYSo54bDMelrr3x5Lo5:Z6F+y5lsiK5PFlKcSgGzwSxy7HHR958
Static task
static1
Malware Config
Extracted
socelars
https://dfgrthres.s3.eu-west-3.amazonaws.com/asdhs909/
Targets
-
-
Target
592ae0c8dc2a2895a4dc6d44465d45bd44d6b7596bd60e9862b942c8d03e594e
-
Size
265KB
-
MD5
c2c2dac3745bf4298068ba62eaff1617
-
SHA1
7be6fc92d73c13c47f1e1abbf8cc3ead7b13a615
-
SHA256
592ae0c8dc2a2895a4dc6d44465d45bd44d6b7596bd60e9862b942c8d03e594e
-
SHA512
a4faa70e6ba989b73528c5d959af7fd8b8bd1aefdbf2ff412336fb2cd96ee13ca6ea05f8a7f143e2a5712984b027b4567c07b98e35ddac491c73e6dd6f2e5394
-
SSDEEP
3072:HGl7nSf8FWmbF+y5lReiKgBOPFlKcvqSBHaSGzw87xq9JYSo54bDMelrr3x5Lo5:Z6F+y5lsiK5PFlKcSgGzwSxy7HHR958
-
Detects Smokeloader packer
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-