General
-
Target
https://href.li/?http://65.1.93.213/?25fef65237226a3334a4dcfa67f8369e7d299bee=f5b045111907a2cf0fa26b83764fc1f317268bb3&m=146&q=McAfee%20LiveSafe%2016.0%20R22%20Crack%202021%20Activation%20Key%20Free%20Download&dedica=16
-
Sample
210626-fzke6fdp2x
Malware Config
Extracted
redline
25_6_r
rdanoriran.xyz:80
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com
-
profile_id
706
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Targets
-
-
Target
https://href.li/?http://65.1.93.213/?25fef65237226a3334a4dcfa67f8369e7d299bee=f5b045111907a2cf0fa26b83764fc1f317268bb3&m=146&q=McAfee%20LiveSafe%2016.0%20R22%20Crack%202021%20Activation%20Key%20Free%20Download&dedica=16
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-