General
-
Target
file.exe
-
Size
755KB
-
Sample
230410-r2e4aaac54
-
MD5
0af3484ed04ac95e8a84d3b06c4180c0
-
SHA1
15943666568f09c0751b027a42413851df2c6932
-
SHA256
5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70
-
SHA512
c4da82bacbeb4f1aa85421d99d0de53c847e720dbd686a55eec97a641464ee19411bb8e9c0959666d3ac80b3503d1dad65de5e08c91e18c620a9cecfb4bc7c05
-
SSDEEP
12288:VQi3oc6m6UR0Itlp1hf39Wkv8xwJld8kO:VQi4zHITpdUMkkO
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
socelars
https://hdbywe.s3.us-west-2.amazonaws.com/sadfe410/
Targets
-
-
Target
file.exe
-
Size
755KB
-
MD5
0af3484ed04ac95e8a84d3b06c4180c0
-
SHA1
15943666568f09c0751b027a42413851df2c6932
-
SHA256
5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70
-
SHA512
c4da82bacbeb4f1aa85421d99d0de53c847e720dbd686a55eec97a641464ee19411bb8e9c0959666d3ac80b3503d1dad65de5e08c91e18c620a9cecfb4bc7c05
-
SSDEEP
12288:VQi3oc6m6UR0Itlp1hf39Wkv8xwJld8kO:VQi4zHITpdUMkkO
-
Socelars payload
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-