General
-
Target
6537dc51442beed86b6cf785a5f3f5525aa9bebb25cadd3f38399797adf14259.exe
-
Size
3.9MB
-
Sample
210823-g4xftv7bbe
-
MD5
669bb51bb539eaeb45c9163670d84c84
-
SHA1
b54d4d19cd239b5ce601df691690419fe66e661e
-
SHA256
6537dc51442beed86b6cf785a5f3f5525aa9bebb25cadd3f38399797adf14259
-
SHA512
a19823991645c724d0fcc36a4245af971a1eaf3909c268adf809a1bc212a6c09f13d2f394dab3c64dafba1504b34eccfd908b8f1f12cc09b31162b3c5766c9f3
Static task
static1
Behavioral task
behavioral1
Sample
6537dc51442beed86b6cf785a5f3f5525aa9bebb25cadd3f38399797adf14259.exe
Resource
win7v20210408
Malware Config
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
redline
205.185.119.191:18846
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
redline
pab3
185.215.113.15:61506
Extracted
vidar
40.1
937
https://eduarroma.tumblr.com/
-
profile_id
937
Targets
-
-
Target
6537dc51442beed86b6cf785a5f3f5525aa9bebb25cadd3f38399797adf14259.exe
-
Size
3.9MB
-
MD5
669bb51bb539eaeb45c9163670d84c84
-
SHA1
b54d4d19cd239b5ce601df691690419fe66e661e
-
SHA256
6537dc51442beed86b6cf785a5f3f5525aa9bebb25cadd3f38399797adf14259
-
SHA512
a19823991645c724d0fcc36a4245af971a1eaf3909c268adf809a1bc212a6c09f13d2f394dab3c64dafba1504b34eccfd908b8f1f12cc09b31162b3c5766c9f3
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-