General
-
Target
vape-all-versions_439051442.zip
-
Size
9.5MB
-
Sample
210719-v5c7bfntkn
-
MD5
6b19d473e78139fd1304a5017d063b22
-
SHA1
81febf16c5451df19900826acf841a2aaef81cc2
-
SHA256
96d4253f2a5f87da558797243cf65ebbc3f53fd0a5773e689f90dcf7f5db1abb
-
SHA512
afe7744478050198687194b210fd20ee26bd1240b080ba62c36d7cd3e8768863cb66c6f98e25942d5e90d39033d6b9f2eea686b6b57d88c25345b960479bad62
Static task
static1
Behavioral task
behavioral1
Sample
_vcofsoig.nfn.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
_vcofsoig.nfn.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
vape-all-versions_439051442.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
vape-all-versions_439051442.exe
Resource
win10v20210410
Malware Config
Extracted
redline
180721
cookiebrokrash.info:80
Extracted
redline
bolshe50
qusenero.xyz:80
Targets
-
-
Target
_vcofsoig.nfn.exe
-
Size
2.1MB
-
MD5
2c6fa0b31d84f67377ddd6ea2799b752
-
SHA1
cf0b9d9c65829009eba7c1a5845be69be5e2e837
-
SHA256
1c5c3a3fa4fdd0ea52166d9a924fac13883e5c5797b9acd89dace63e1a468f6f
-
SHA512
9beaa08110453de703105a17cf6237f099b069bfd913381af334b8f61f8f69c16648f84afe3852a361a934563a27178389a1077ede1a267312394c483d941ce6
Score4/10 -
-
-
Target
vape-all-versions_439051442.exe
-
Size
8.9MB
-
MD5
8de7400fa27c961d147b562df83afba5
-
SHA1
5c7a89c25a58ea3adfb954371d740f6f59a6bb97
-
SHA256
c1103a810f1b3a5abd360c04fe1effce6b90d88e30f283d92417ac1fcf72ca84
-
SHA512
27738d8c2eac4d39713ea0f455718cd36f538763e888744def2bdf70da8996d86f1bab66ff708d3c1ffa210cc9c9a2cc0d7bc46c7ce4f0b747b33753621a5fa3
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-