General
-
Target
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a.bin
-
Size
6.9MB
-
Sample
220930-jm4t4adgcr
-
MD5
f94bf1734f34665a65a835cc04a4ad95
-
SHA1
a1311074ee2ae7b307606484ce09b8fa224d391c
-
SHA256
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
-
SHA512
943e246de4e9c52c8017a4439cb12651b28e26165704ec44f14ee7fa3ce88051eef04f38f39af284acf20a02041e6d19eee488ef73d828fa6b8283ce02e34430
-
SSDEEP
196608:JHnih4xeZ4Vcf2QYQ/XLFjge8l/nEjyPBNlbBk:JHniexGZD/LdSnEjWbK
Static task
static1
Behavioral task
behavioral1
Sample
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
nullmixer
http://hornygl.xyz/
Extracted
socelars
http://www.anquyebt.com/
Extracted
redline
media272257
92.255.57.115:11841
-
auth_value
97416ad232ecb7973253e42825ae9b81
Targets
-
-
Target
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a.bin
-
Size
6.9MB
-
MD5
f94bf1734f34665a65a835cc04a4ad95
-
SHA1
a1311074ee2ae7b307606484ce09b8fa224d391c
-
SHA256
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
-
SHA512
943e246de4e9c52c8017a4439cb12651b28e26165704ec44f14ee7fa3ce88051eef04f38f39af284acf20a02041e6d19eee488ef73d828fa6b8283ce02e34430
-
SSDEEP
196608:JHnih4xeZ4Vcf2QYQ/XLFjge8l/nEjyPBNlbBk:JHniexGZD/LdSnEjWbK
-
Detect Fabookie payload
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Socelars payload
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
OnlyLogger payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-