redline | fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f | Triage

Submit
Reports

Overview

overview

Static

static

fd5c970806...2f.exe

windows7_x64

fd5c970806...2f.exe

windows10_x64

1

Sharing

General

Target

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f.exe
Size

631KB
Sample

210823-laxa733lbs
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

redline vidar 973 evasion infostealer stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f.exe

Resource

win7v20210410

redline vidar 973 evasion infostealer stealer themida trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f.exe

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

973

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
973

Targets

- Target
  
  fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f.exe
- Size
  
  631KB
- MD5
  
  cb927513ff8ebff4dd52a47f7e42f934
- SHA1
  
  0de47c02a8adc4940a6c18621b4e4a619641d029
- SHA256
  
  fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
- SHA512
  
  988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score

10^/10

redline vidar 973 evasion infostealer stealer themida trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinevidar973evasioninfostealerstealerthemidatrojan

behavioral2

© 2018-2024

Terms | Privacy