General
-
Target
66905788E3FB350A6134A1F2BF7BCCFC.exe
-
Size
4.5MB
-
Sample
210702-3kb1c8p67x
-
MD5
66905788e3fb350a6134a1f2bf7bccfc
-
SHA1
b8d03df995e0657a11697f668d8ea437089b8e47
-
SHA256
83571a7d91666d2bd461324573379810b2674e640ebd739b24cb4a91c00345ef
-
SHA512
d98d2b0f320461e1e2d0d90222cdb4bcd56164258215cc5b7787810a4ae442033a1fbbc4b603d3339c0bd3143841ad7437c80244b7bd7c0b4e2a6cf9782eae54
Static task
static1
Behavioral task
behavioral1
Sample
66905788E3FB350A6134A1F2BF7BCCFC.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
66905788E3FB350A6134A1F2BF7BCCFC.exe
Resource
win10v20210408
Malware Config
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com
-
profile_id
706
Extracted
redline
DomAni
varinnitof.xyz:80
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Extracted
vidar
39.4
903
https://sergeevih43.tumblr.com
-
profile_id
903
Targets
-
-
Target
66905788E3FB350A6134A1F2BF7BCCFC.exe
-
Size
4.5MB
-
MD5
66905788e3fb350a6134a1f2bf7bccfc
-
SHA1
b8d03df995e0657a11697f668d8ea437089b8e47
-
SHA256
83571a7d91666d2bd461324573379810b2674e640ebd739b24cb4a91c00345ef
-
SHA512
d98d2b0f320461e1e2d0d90222cdb4bcd56164258215cc5b7787810a4ae442033a1fbbc4b603d3339c0bd3143841ad7437c80244b7bd7c0b4e2a6cf9782eae54
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
2Virtualization/Sandbox Evasion
1File Permissions Modification
1