General
-
Target
B54032FC01363B6A3DC2378196C4BC4C.exe
-
Size
4.8MB
-
Sample
210828-nk1mnazpea
-
MD5
b54032fc01363b6a3dc2378196c4bc4c
-
SHA1
c8d3b054ace51f4d59d5f774d690b92b672ac593
-
SHA256
79d64ca8a0ebef312050fb2a06a68d246aa0acacb30764da9af8fdbc5f821d0a
-
SHA512
b66b08e4323c430e7274c8dbb0ea75b1040d1b42191d92e7466c56900839e4f31301a058f0192ff7fc7287fd918e59c0b6d6ecdefb61d396c0c6176f91926571
Static task
static1
Behavioral task
behavioral1
Sample
B54032FC01363B6A3DC2378196C4BC4C.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
B54032FC01363B6A3DC2378196C4BC4C.exe
Resource
win10v20210408
Malware Config
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
redline
pub1
viacetequn.site:80
Extracted
vidar
40.1
1002
https://eduarroma.tumblr.com/
-
profile_id
1002
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
raccoon
0a7408c65c3ceba29fcaa1d6f9f7143fe4fab73a
-
url4cnc
https://telete.in/secuhaski4
Targets
-
-
Target
B54032FC01363B6A3DC2378196C4BC4C.exe
-
Size
4.8MB
-
MD5
b54032fc01363b6a3dc2378196c4bc4c
-
SHA1
c8d3b054ace51f4d59d5f774d690b92b672ac593
-
SHA256
79d64ca8a0ebef312050fb2a06a68d246aa0acacb30764da9af8fdbc5f821d0a
-
SHA512
b66b08e4323c430e7274c8dbb0ea75b1040d1b42191d92e7466c56900839e4f31301a058f0192ff7fc7287fd918e59c0b6d6ecdefb61d396c0c6176f91926571
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-