redline

General

Target

19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.exe
Size

784KB
Sample

210624-s8xy6bxh3a
MD5

fcff182cb8fed42e720a19ed5b997e5a
SHA1

73f95a618c8659acf1ca63bdc9fdf24f72cb27be
SHA256

19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980
SHA512

b0d74845b3020a547347ef2a11a26a6512a50cf56da54d2fec602661bf7edfde33c09457e7a049c66b035a3b765dc48ddebfc9a89c0f43d572f9779c1be15404

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

111111322

C2

verecalina.xyz:80

Extracted

Family

vidar

Version

39.4

Botnet

909

C2

https://sergeevih43.tumblr.com

Attributes

profile_id
909

Targets

- Target
  
  19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980.exe
- Size
  
  784KB
- MD5
  
  fcff182cb8fed42e720a19ed5b997e5a
- SHA1
  
  73f95a618c8659acf1ca63bdc9fdf24f72cb27be
- SHA256
  
  19e68852c211ebf0cee8dd310f5d191b50e0eae8e32c20d8be8a84afb795e980
- SHA512
  
  b0d74845b3020a547347ef2a11a26a6512a50cf56da54d2fec602661bf7edfde33c09457e7a049c66b035a3b765dc48ddebfc9a89c0f43d572f9779c1be15404
Score

10^/10

redline vidar 111111322 909 discovery evasion infostealer spyware stealer themida trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2