General
-
Target
F667CCAE3AC7F9C029F3C2B788DCBDDD.exe
-
Size
3.3MB
-
Sample
210629-ka84qka74j
-
MD5
f667ccae3ac7f9c029f3c2b788dcbddd
-
SHA1
753981c4a273b5375503f9278d2239054982178f
-
SHA256
923e1d37bb37118bd66462b153d9fa0d4518898ed56f0252690a6d9eb111a0d7
-
SHA512
a18f696d0909ca31440fdd66a21ef73a79af20a844423b699badfff745d99a663f52139fe04f6789f7a93b614f36d67ad0cae494cdb708671c4c679dac998c06
Static task
static1
Behavioral task
behavioral1
Sample
F667CCAE3AC7F9C029F3C2B788DCBDDD.exe
Resource
win7v20210408
Malware Config
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com
-
profile_id
706
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Extracted
redline
Cana
176.111.174.254:56328
Extracted
redline
29_6_r
rdanoriran.xyz:80
Extracted
vidar
39.4
865
https://sergeevih43.tumblr.com
-
profile_id
865
Extracted
vidar
39.4
932
https://sergeevih43.tumblr.com
-
profile_id
932
Extracted
redline
prolib9
130.193.54.53:32750
Extracted
redline
NewAni
changidwia.xyz:80
Extracted
guloader
https://cdn.discordapp.com/attachments/859444299618582560/859474854498271232/Heck.bin
Targets
-
-
Target
F667CCAE3AC7F9C029F3C2B788DCBDDD.exe
-
Size
3.3MB
-
MD5
f667ccae3ac7f9c029f3c2b788dcbddd
-
SHA1
753981c4a273b5375503f9278d2239054982178f
-
SHA256
923e1d37bb37118bd66462b153d9fa0d4518898ed56f0252690a6d9eb111a0d7
-
SHA512
a18f696d0909ca31440fdd66a21ef73a79af20a844423b699badfff745d99a663f52139fe04f6789f7a93b614f36d67ad0cae494cdb708671c4c679dac998c06
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-