General
-
Target
FBCC50E810B4C1D883AC7C6BA6A68743.exe
-
Size
4.3MB
-
Sample
210908-rk7rzaeeh6
-
MD5
fbcc50e810b4c1d883ac7c6ba6a68743
-
SHA1
239b6f259b6a4caedc2f5255cc95d8f2c28a9d12
-
SHA256
9717b381438ce05007cf221a2e8bf6472c0bcd87c855ecdf11336315325d21c4
-
SHA512
71d811f240ce94d4a2e9a55d69281e9fea565c3819b14a6bb65941fe0b329d4f95c702ab748c1aa991f0c6267ca6d21c991486d0cef1ef547c52d6e70af4bb24
Static task
static1
Behavioral task
behavioral1
Sample
FBCC50E810B4C1D883AC7C6BA6A68743.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
FBCC50E810B4C1D883AC7C6BA6A68743.exe
Resource
win10v20210408
Malware Config
Extracted
redline
pub1
viacetequn.site:80
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
vidar
40.5
937
https://gheorghip.tumblr.com/
-
profile_id
937
Targets
-
-
Target
FBCC50E810B4C1D883AC7C6BA6A68743.exe
-
Size
4.3MB
-
MD5
fbcc50e810b4c1d883ac7c6ba6a68743
-
SHA1
239b6f259b6a4caedc2f5255cc95d8f2c28a9d12
-
SHA256
9717b381438ce05007cf221a2e8bf6472c0bcd87c855ecdf11336315325d21c4
-
SHA512
71d811f240ce94d4a2e9a55d69281e9fea565c3819b14a6bb65941fe0b329d4f95c702ab748c1aa991f0c6267ca6d21c991486d0cef1ef547c52d6e70af4bb24
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-