General
-
Target
d69ad8d2f432e57d4f5ecf5d7e7f9300.exe
-
Size
6.1MB
-
Sample
210523-e1x9q23xbe
-
MD5
d69ad8d2f432e57d4f5ecf5d7e7f9300
-
SHA1
4db420d6dfc64506e6e8b71ff63e4b240f2a562c
-
SHA256
21415b4bd92f908e375ef73e62b8539724488e9372c6df980d91c01e47ebfd15
-
SHA512
d21339419c6a85cb0454e3821d9cf8526b8913007fc500e026dfb6ba28cca96057695f2fa8d283f2b037b467a4229fe9f2b2dcd7cd33c9b0e37925a46e2b3f34
Static task
static1
Behavioral task
behavioral1
Sample
d69ad8d2f432e57d4f5ecf5d7e7f9300.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d69ad8d2f432e57d4f5ecf5d7e7f9300.exe
Resource
win10v20210410
Malware Config
Extracted
vidar
38.8
827
https://HAL9THapi.faceit.comlegomind
-
profile_id
827
Extracted
redline
BBS1
87.251.71.193:80
Targets
-
-
Target
d69ad8d2f432e57d4f5ecf5d7e7f9300.exe
-
Size
6.1MB
-
MD5
d69ad8d2f432e57d4f5ecf5d7e7f9300
-
SHA1
4db420d6dfc64506e6e8b71ff63e4b240f2a562c
-
SHA256
21415b4bd92f908e375ef73e62b8539724488e9372c6df980d91c01e47ebfd15
-
SHA512
d21339419c6a85cb0454e3821d9cf8526b8913007fc500e026dfb6ba28cca96057695f2fa8d283f2b037b467a4229fe9f2b2dcd7cd33c9b0e37925a46e2b3f34
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Vidar Stealer
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-