General
-
Target
a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb
-
Size
7.0MB
-
Sample
241109-kzhcas1hlk
-
MD5
427e7b72d31cf76f2f36deb3eb762cc4
-
SHA1
08be2960808aa7cde50c5806d5d8aafb8363ca8d
-
SHA256
a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb
-
SHA512
9a5370c8a928f09ba28afe01f7f01587cb734f5ace6225400812ecbed38910f5e67f7e6499a21cee63fa7c1cd158010385ad3a69b18f63c12b75f29ec356d71d
-
SSDEEP
196608:BQWQxiK1pW2xVaP0MuZB9iZx78Ev2KYgbmY1D6PscFu:Sxt1pNxVaP5z99vEgyaiu
Static task
static1
Behavioral task
behavioral1
Sample
0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6.exe
Resource
win7-20241010-en
Malware Config
Extracted
nullmixer
http://621f9481e1e2d.com/
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/
Extracted
smokeloader
pub3
Extracted
gcleaner
appwebstat.biz
ads-memory.biz
Extracted
redline
media60603
92.255.57.154:11841
-
auth_value
32ca3353c43f67b3879fce4660e9c65d
Targets
-
-
Target
0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6
-
Size
7.1MB
-
MD5
1f6e0a406d4d8dbd2c113d3565dbe7a8
-
SHA1
dc5a439e7a0e918494c1065fe15d4bbe2b9b33be
-
SHA256
0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6
-
SHA512
59310d8756a63d7df6c05a6ae78721d8339913bca4b47e076a60cdc95071bd690648c1e298bd29510fc252d813a0ea3dc05d7cdf07ef243770722d4fe1b8e59c
-
SSDEEP
196608:xtgdzQIV48kCWgj0JSk2apV4f0PxHtJvMYOYqF06pamS:xtgdz1V4tC3j08k2apyf0pHtWYkC2amS
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
Onlylogger family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Smokeloader family
-
Socelars family
-
Socelars payload
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
OnlyLogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-