redline

General

Target

18EB857003B25ADD697BEE9464132BE3.exe
Size

2.9MB
Sample

210712-lpn53twpj2
MD5

18eb857003b25add697bee9464132be3
SHA1

419d3ebc4ae0b8688adfa328d1b88a0e031dd5d6
SHA256

2916c38c3ff4c0e36fbf895409db7b41fd9555cebf6a33cbf5867be8b54e73db
SHA512

4e8e6fe759b87f00334932cbf7e88ae491da15797a6bcb0ec3f57f14c254260b554ededfca1d1babea369672398d13994c38a1687d51d3a995c8d82bcba7af62

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

933

C2

https://sergeevih43.tumblr.com/

Attributes

profile_id
933

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

rc4.i32

Extracted

Family

vidar

Version

39.4

Botnet

903

C2

https://sergeevih43.tumblr.com/

Attributes

profile_id
903

Extracted

Family

vidar

Version

39.4

Botnet

865

C2

https://sergeevih43.tumblr.com/

Attributes

profile_id
865

Targets

- Target
  
  18EB857003B25ADD697BEE9464132BE3.exe
- Size
  
  2.9MB
- MD5
  
  18eb857003b25add697bee9464132be3
- SHA1
  
  419d3ebc4ae0b8688adfa328d1b88a0e031dd5d6
- SHA256
  
  2916c38c3ff4c0e36fbf895409db7b41fd9555cebf6a33cbf5867be8b54e73db
- SHA512
  
  4e8e6fe759b87f00334932cbf7e88ae491da15797a6bcb0ec3f57f14c254260b554ededfca1d1babea369672398d13994c38a1687d51d3a995c8d82bcba7af62
Score

10^/10

redline vidar 933 cana aspackv2 infostealer stealer themida smokeloader socelars 865 903 backdoor discovery trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2