General
-
Target
2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6
-
Size
6.9MB
-
Sample
241109-kz78qa1hmk
-
MD5
3fbac86ed0aa4fe2aab4e62748550746
-
SHA1
64b0e33dd3dca744e0ac48b70b17ccaae8e71619
-
SHA256
2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6
-
SHA512
25437b69fefcfc4f988130abf6334ab52d871f3f608684cf59a6cc005cb4b642e68b8180ea20a569bcca8aa0aa3558c070be2643a3b279a90054de23fa4fb8af
-
SSDEEP
196608:XwoExAku0xtgpFdLzOiM58cgv0iTFiWSk:XwoSAD0tUzOiQV/qFiWSk
Static task
static1
Behavioral task
behavioral1
Sample
174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_installer.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
socelars
http://www.anquyebt.com/
Extracted
nullmixer
http://hornygl.xyz/
Extracted
smokeloader
pub3
Extracted
redline
media262231
92.255.57.115:11841
-
auth_value
5e0e6c3491655e18f0126b2b32773d57
Extracted
gcleaner
appwebstat.biz
ads-memory.biz
Targets
-
-
Target
174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e
-
Size
6.9MB
-
MD5
2db59bc805ebb1b8b1a947b15684e899
-
SHA1
97e2beaa6bcddf9b27a1175352a85fc769d88597
-
SHA256
174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e
-
SHA512
e3849f480698c82229f49914d0cfb3dd2d836e492f2eaea3f26170a12d08cc591aaf17efb0798d75456997ef846d5180653549268925afcdefdb4bbd17229e46
-
SSDEEP
196608:JFyORANUm677HoE/IEyu9vAhzsN4MlPbuumo8YG:J4OS+m67c+IkhAhI/lPbuldb
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
Onlylogger family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Smokeloader family
-
Socelars family
-
Socelars payload
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
OnlyLogger payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
6.9MB
-
MD5
d3e22d7fcc478eaf4b9e03a8a5038c12
-
SHA1
bfa29d4c2535b479102cd37c4a7f4245961daeb3
-
SHA256
6d7f35c19fef11f48a274dcf38e942635e6946eca4ecd3c39dd38de8e0cbf656
-
SHA512
83bc2bd9f2b5fe85a5eabdb6aab5c6ba64ac590b005780cee51d7c01f565a416b674fa9ff1b439325f9e50604fe130c3911c43c50da0254f0309beca742a1956
-
SSDEEP
196608:xkYTPwdk38Jcv2PH7iFO4SzNWRDLR2/oyRZ156yoJ2YWc:xkYTodk30cvIHV4ShYL8oIZ18TP
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
Onlylogger family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Smokeloader family
-
Socelars family
-
Socelars payload
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
OnlyLogger payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1