redline

General

Target

711A36B5BA6AE169B95EFAA8959E086E.exe
Size

3.6MB
Sample

210704-yqknr5a2wn
MD5

711a36b5ba6ae169b95efaa8959e086e
SHA1

63a5040ee89a510a48fae039d9feb660d5ab3bbd
SHA256

eee3db2c3f4ef7fe80c9f93617920ad0a10b4fa0f1aa5e2cdeb51b3463dd4747
SHA512

735fbb8a9b1f097a9dfd099b6e01f098204ec5a20da874c9cd31ef549fd26f85b26bc9712d9fa248788feb76f7d41e9e4cdd99b940629e95f6d46283126b9fb0

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

DomAni2

C2

flestriche.xyz:80

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com

Attributes

profile_id
706

Targets

- Target
  
  711A36B5BA6AE169B95EFAA8959E086E.exe
- Size
  
  3.6MB
- MD5
  
  711a36b5ba6ae169b95efaa8959e086e
- SHA1
  
  63a5040ee89a510a48fae039d9feb660d5ab3bbd
- SHA256
  
  eee3db2c3f4ef7fe80c9f93617920ad0a10b4fa0f1aa5e2cdeb51b3463dd4747
- SHA512
  
  735fbb8a9b1f097a9dfd099b6e01f098204ec5a20da874c9cd31ef549fd26f85b26bc9712d9fa248788feb76f7d41e9e4cdd99b940629e95f6d46283126b9fb0
Score

10^/10

redline smokeloader cana domani2 aspackv2 backdoor infostealer trojan vidar 706 stealer upx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

RedLine Payload

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Vidar Stealer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2