General
-
Target
9C83561FB5253478D523E0CA20900B7E0CE87E60F686B.exe
-
Size
2.7MB
-
Sample
210902-kr3mtap33j
-
MD5
bf17c97738b7ab1b85ddf5fb31e6f53b
-
SHA1
dd8c911aa34fd6ced33d3370d7d8a15d72a39a90
-
SHA256
9c83561fb5253478d523e0ca20900b7e0ce87e60f686bfea25c9ca99716257c2
-
SHA512
b85b302e2d459e573c32f2fa1213c9babac58339a50a5fdb0adb055284df542ce9071a62ba7db7c7791228fb263af161547b1f45b022c62d3e80e3f444d10528
Static task
static1
Behavioral task
behavioral1
Sample
9C83561FB5253478D523E0CA20900B7E0CE87E60F686B.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
9C83561FB5253478D523E0CA20900B7E0CE87E60F686B.exe
Resource
win10-en
Malware Config
Extracted
redline
193.56.146.60:16367
Extracted
redline
Cana01
176.111.174.254:56328
Extracted
vidar
39.5
933
https://olegf9844.tumblr.com/
-
profile_id
933
Extracted
redline
AniOLD
akedauiver.xyz:80
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
NORMAN3
45.14.49.184:28743
Extracted
raccoon
d02c5d65069fc7ce1993e7c52edf0c9c4c195c81
-
url4cnc
https://telete.in/open3entershift
Extracted
redline
spnewportspectr
135.148.139.222:1594
Targets
-
-
Target
9C83561FB5253478D523E0CA20900B7E0CE87E60F686B.exe
-
Size
2.7MB
-
MD5
bf17c97738b7ab1b85ddf5fb31e6f53b
-
SHA1
dd8c911aa34fd6ced33d3370d7d8a15d72a39a90
-
SHA256
9c83561fb5253478d523e0ca20900b7e0ce87e60f686bfea25c9ca99716257c2
-
SHA512
b85b302e2d459e573c32f2fa1213c9babac58339a50a5fdb0adb055284df542ce9071a62ba7db7c7791228fb263af161547b1f45b022c62d3e80e3f444d10528
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-