General
-
Target
47000B94531AD6B652797C1F2E525752.exe
-
Size
3.8MB
-
Sample
210904-h6n3bahbcr
-
MD5
47000b94531ad6b652797c1f2e525752
-
SHA1
58de952fe5d182294e5e6d5141567b9ce61a331e
-
SHA256
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
-
SHA512
eb9795ad340d101c5d1412ed1206ff97ecb75ea79da3a3030e175d6d2926ab47e67944bd5e660b3e0c4f017f9b28f8ec7f7004a35a5c5446edf55dca7ec51dd4
Static task
static1
Behavioral task
behavioral1
Sample
47000B94531AD6B652797C1F2E525752.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
47000B94531AD6B652797C1F2E525752.exe
Resource
win10v20210408
Malware Config
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
vidar
40.4
937
https://romkaxarit.tumblr.com/
-
profile_id
937
Targets
-
-
Target
47000B94531AD6B652797C1F2E525752.exe
-
Size
3.8MB
-
MD5
47000b94531ad6b652797c1f2e525752
-
SHA1
58de952fe5d182294e5e6d5141567b9ce61a331e
-
SHA256
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
-
SHA512
eb9795ad340d101c5d1412ed1206ff97ecb75ea79da3a3030e175d6d2926ab47e67944bd5e660b3e0c4f017f9b28f8ec7f7004a35a5c5446edf55dca7ec51dd4
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-