General

  • Target

    8a8d0044b44f351755b1edd81dee4358a7ec23bf8204b7dbb5145ab196f99cf2

  • Size

    265KB

  • Sample

    220913-bnc4rsedg9

  • MD5

    3b09fde9b9406f47702fa6b5f3b5f4fe

  • SHA1

    7c99171f637c5407a8e112a1da7f50bf541439c7

  • SHA256

    8a8d0044b44f351755b1edd81dee4358a7ec23bf8204b7dbb5145ab196f99cf2

  • SHA512

    9a9c4f7992447b1cc9cc1e4e38a419af295b586e56240fd4e0f52b043831d5f54952c0fe26b6215da26cd03d14573d42750a8f2d97de4ad07ef91f0ce87391c3

  • SSDEEP

    6144:G/osrsiPbHElBYjtMpblPG3PnrZHr0SYNwnUYipY:2JsiPbkvYjtMpblOPrGSY+H

Malware Config

Extracted

Family

redline

Botnet

bits

C2

78.153.144.84:27027

Attributes
  • auth_value

    afc8a7054292ba8aa16820b581e6e054

Extracted

Family

socelars

C2

https://dfgrthres.s3.eu-west-3.amazonaws.com/asdhs909/

Targets

    • Target

      8a8d0044b44f351755b1edd81dee4358a7ec23bf8204b7dbb5145ab196f99cf2

    • Size

      265KB

    • MD5

      3b09fde9b9406f47702fa6b5f3b5f4fe

    • SHA1

      7c99171f637c5407a8e112a1da7f50bf541439c7

    • SHA256

      8a8d0044b44f351755b1edd81dee4358a7ec23bf8204b7dbb5145ab196f99cf2

    • SHA512

      9a9c4f7992447b1cc9cc1e4e38a419af295b586e56240fd4e0f52b043831d5f54952c0fe26b6215da26cd03d14573d42750a8f2d97de4ad07ef91f0ce87391c3

    • SSDEEP

      6144:G/osrsiPbHElBYjtMpblPG3PnrZHr0SYNwnUYipY:2JsiPbkvYjtMpblOPrGSY+H

    • Detects Smokeloader packer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks