General
-
Target
setup_x86_x64_install.bin
-
Size
14.1MB
-
Sample
230710-qa9yxabe2z
-
MD5
aa581b1f07d2ab6bfff3134a307cec2e
-
SHA1
de449691f3489dd76b891434781b8753802eee14
-
SHA256
f114cbd90381a13d1f7fee0ff09a52e238a4451da70191a2adeccbf84817c61a
-
SHA512
b8553eecfa308ac4edbc90c565bfa01bef343ff2842f493e495672fabe11409c437fb07fce6296863b8e8363363a58638f900e6c4f3b06341913004f2f20277d
-
SSDEEP
196608:J+D/NGZ0gHyb1HMJPD/egwsjWIH4Aihj+avAs4Tt5Q9NCROf2s3Ak:JYNGLHs1wNw6WIHSvvApTyNCROf2s3Ak
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
socelars
http://www.wgqpw.com/
Extracted
redline
@Bob
185.215.113.44:23759
-
auth_value
052aa6a199b3b3a78037547a0c15cdcf
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
smokeloader
pub5
Extracted
redline
media2test
65.108.69.168:16278
-
auth_value
f78d521ba2c4812c35b2d33300976a4e
Extracted
amadey
2.85
185.215.113.35/d2VxjasuwS/index.php
Targets
-
-
Target
setup_x86_x64_install.bin
-
Size
14.1MB
-
MD5
aa581b1f07d2ab6bfff3134a307cec2e
-
SHA1
de449691f3489dd76b891434781b8753802eee14
-
SHA256
f114cbd90381a13d1f7fee0ff09a52e238a4451da70191a2adeccbf84817c61a
-
SHA512
b8553eecfa308ac4edbc90c565bfa01bef343ff2842f493e495672fabe11409c437fb07fce6296863b8e8363363a58638f900e6c4f3b06341913004f2f20277d
-
SSDEEP
196608:J+D/NGZ0gHyb1HMJPD/egwsjWIH4Aihj+avAs4Tt5Q9NCROf2s3Ak:JYNGLHs1wNw6WIHSvvApTyNCROf2s3Ak
-
Detect Fabookie payload
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Socelars payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Vidar Stealer
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Modify Registry
5Virtualization/Sandbox Evasion
1Impair Defenses
1Install Root Certificate
1