redline

General

Target

D2864E311EFFCEF848301945DA620B92D1A982DBE2A70.exe
Size

4.3MB
Sample

210925-1gg7ksdhdp
MD5

5fb865bdd91d46c9bd96b0cae60dcc86
SHA1

9a050d47f03d39d56c90c0f8a7d0627c6e2f916d
SHA256

d2864e311effcef848301945da620b92d1a982dbe2a708e0e380370113e71577
SHA512

9cefe5edd26075f92b619a1041ceb9053da77c89c422cba89a3f20706e56d822c2f20111a587ebc346b5ba486b4be43f40fb22d5c25ed68e8602ac04463c4420

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

vidar

Version

40.1

Botnet

706

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

pub1

C2

viacetequn.site:80

Targets

- Target
  
  D2864E311EFFCEF848301945DA620B92D1A982DBE2A70.exe
- Size
  
  4.3MB
- MD5
  
  5fb865bdd91d46c9bd96b0cae60dcc86
- SHA1
  
  9a050d47f03d39d56c90c0f8a7d0627c6e2f916d
- SHA256
  
  d2864e311effcef848301945da620b92d1a982dbe2a708e0e380370113e71577
- SHA512
  
  9cefe5edd26075f92b619a1041ceb9053da77c89c422cba89a3f20706e56d822c2f20111a587ebc346b5ba486b4be43f40fb22d5c25ed68e8602ac04463c4420
Score

10^/10

redline smokeloader vidar 706 aspackv2 backdoor evasion infostealer persistence stealer trojan socelars pub1 suricata
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2