redline

General

Target

7ddf5c86_C5LbjK2V13
Size

7.0MB
Sample

210823-vn48lvjt82
MD5

7ddf5c869fe110170ac9c29c01d1f56c
SHA1

32a6e107399e1afa6e3a0d7efc086fe12fe5225c
SHA256

4f51e87555adc3b2b1246354e767c52737d30a1e0b2372e38e9c0883f37f6d75
SHA512

b59a746baa31b3d3936cdcc2ef0ed3afa1b9942358faed38cd68e7ffd92c237a1c3caebbcf0b0e7e6df1f0d3437434199dd871be332fc57b59c9a4c7ad21e598

Score

10^/10

redline socelars vidar 3 916 allsup discovery infostealer stealer suricata

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

916

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
916

Extracted

Family

redline

Botnet

3

C2

deyrolorme.xyz:80

xariebelal.xyz:80

anihelardd.xyz:80

Extracted

Family

redline

Botnet

allsup

C2

188.124.36.242:25802

Targets

- Target
  
  7ddf5c86_C5LbjK2V13
- Size
  
  7.0MB
- MD5
  
  7ddf5c869fe110170ac9c29c01d1f56c
- SHA1
  
  32a6e107399e1afa6e3a0d7efc086fe12fe5225c
- SHA256
  
  4f51e87555adc3b2b1246354e767c52737d30a1e0b2372e38e9c0883f37f6d75
- SHA512
  
  b59a746baa31b3d3936cdcc2ef0ed3afa1b9942358faed38cd68e7ffd92c237a1c3caebbcf0b0e7e6df1f0d3437434199dd871be332fc57b59c9a4c7ad21e598
Score

10^/10

redline socelars vidar 3 916 allsup discovery infostealer stealer suricata
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

RedLine Payload

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2