General
-
Target
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e.exe
-
Size
4.2MB
-
Sample
210712-m4rby144n6
-
MD5
4554bf0ab199af75af2199e9bde53a33
-
SHA1
94db08baa878322eec7359ebf0f43feb9ac9c97e
-
SHA256
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e
-
SHA512
08074ed52dc8b7dd1d74f119b965cae8d03c0fa2696cedbb567898678daa758a3e55bb38380dbc60ccdd6cf1ad5dd5e284df4b4a879ae673b53217a87c593670
Static task
static1
Behavioral task
behavioral1
Sample
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e.exe
Resource
win10v20210410
Malware Config
Extracted
vidar
39.4
890
https://sergeevih43.tumblr.com/
-
profile_id
890
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Targets
-
-
Target
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e.exe
-
Size
4.2MB
-
MD5
4554bf0ab199af75af2199e9bde53a33
-
SHA1
94db08baa878322eec7359ebf0f43feb9ac9c97e
-
SHA256
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e
-
SHA512
08074ed52dc8b7dd1d74f119b965cae8d03c0fa2696cedbb567898678daa758a3e55bb38380dbc60ccdd6cf1ad5dd5e284df4b4a879ae673b53217a87c593670
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-