redline

Sharing

Copy URL

Twitter E-mail

General

Target

D0E7259AF04DE5BE1D5942BB4F27FA09.exe
Size

6.0MB
Sample

210709-txc4kl79y6
MD5

d0e7259af04de5be1d5942bb4f27fa09
SHA1

03f88a73c5c6766bd8eb41d3cd0e959dfc51f6b0
SHA256

659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
SHA512

a3ded799c26b894b9262efbf52db40de5a206235fa6fd5ada29223197ef54f3fefec2ce0d13a393255b77d80b8a4d83eae11c2af94f230fef4e4a10a5a7f43b3

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

933

https://sergeevih43.tumblr.com/

Attributes

profile_id
933

Extracted

Family

redline

Botnet

Ani

detuyaluro.xyz:80

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

rc4.i32

Extracted

Family

redline

Botnet

Cana

176.111.174.254:56328

Extracted

Family

vidar

Version

39.4

Botnet

903

https://sergeevih43.tumblr.com/

Attributes

profile_id
903

Extracted

Family

vidar

Version

39.4

Botnet

921

https://sergeevih43.tumblr.com/

Attributes

profile_id
921

Targets

- Target
  
  D0E7259AF04DE5BE1D5942BB4F27FA09.exe
- Size
  
  6.0MB
- MD5
  
  d0e7259af04de5be1d5942bb4f27fa09
- SHA1
  
  03f88a73c5c6766bd8eb41d3cd0e959dfc51f6b0
- SHA256
  
  659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
- SHA512
  
  a3ded799c26b894b9262efbf52db40de5a206235fa6fd5ada29223197ef54f3fefec2ce0d13a393255b77d80b8a4d83eae11c2af94f230fef4e4a10a5a7f43b3
Score

10^/10

redline smokeloader vidar 933 ani aspackv2 backdoor infostealer persistence stealer trojan 903 921 cana evasion upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Scripting

Web Service

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine Payload

SmokeLoader

Vidar

Vidar Stealer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2