General
-
Target
d7348622e8bddc8aeab8662e78d804b6
-
Size
3.1MB
-
Sample
240319-1t9glagg59
-
MD5
d7348622e8bddc8aeab8662e78d804b6
-
SHA1
7b61698bb07ec312bd92705fdd799c6ce6d3e2c1
-
SHA256
12ce860b2726217e1ad462071f073e05b85dce749caaf4a2daa390b56a052208
-
SHA512
dfac761454073b82e7bc7315e8af2f90fe757e139a55d7508fb2c279e7a7b65134b7d66a405c0a2d25d8e9780b031b1624f294bc9455ad9128523da273bdeaa4
-
SSDEEP
49152:/b5G/cTJBQRowY6Zg0fLzc9SWZnJqJDCDTnxJ2xKy+qDDq3a:Un4yg0jyS8JECDjixmqDG
Static task
static1
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
Extracted
asyncrat
0.5.7B
Default
whiteshadows.ddns.net:9731
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
microsoft 2.exe
-
install_folder
%AppData%
Extracted
redline
Liez
liezaphare.xyz:80
Extracted
redline
UPD
185.215.113.45:41009
Extracted
gcleaner
g-prtnrs.top
g-prtrs.top
Targets
-
-
Target
d7348622e8bddc8aeab8662e78d804b6
-
Size
3.1MB
-
MD5
d7348622e8bddc8aeab8662e78d804b6
-
SHA1
7b61698bb07ec312bd92705fdd799c6ce6d3e2c1
-
SHA256
12ce860b2726217e1ad462071f073e05b85dce749caaf4a2daa390b56a052208
-
SHA512
dfac761454073b82e7bc7315e8af2f90fe757e139a55d7508fb2c279e7a7b65134b7d66a405c0a2d25d8e9780b031b1624f294bc9455ad9128523da273bdeaa4
-
SSDEEP
49152:/b5G/cTJBQRowY6Zg0fLzc9SWZnJqJDCDTnxJ2xKy+qDDq3a:Un4yg0jyS8JECDjixmqDG
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Socelars payload
-
Async RAT payload
-
OnlyLogger payload
-
XMRig Miner payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-