General
-
Target
44F3C573B5D6D77D97C2EBF5D4A235DA5AED3A18EB5B7.exe
-
Size
2.4MB
-
Sample
210926-1z3w1afdd3
-
MD5
5a7f2fa0c18a3f1fdfb08910b5951c7b
-
SHA1
a09a567dab1860c16a729dbb947a5593827f8e9c
-
SHA256
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
-
SHA512
f37a763cf61183601c92888284e541a87764829e7bd69984c1b4713bd0810211820e3ee03c696ba765162ddc2c0e37f19203f67351a3a681b6daede561ac2144
Static task
static1
Malware Config
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
cryptbot
lysuht78.top
morisc07.top
-
payload_url
http://damysa10.top/download.php?file=lv.exe
Extracted
redline
test1
185.215.113.15:61506
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Targets
-
-
Target
44F3C573B5D6D77D97C2EBF5D4A235DA5AED3A18EB5B7.exe
-
Size
2.4MB
-
MD5
5a7f2fa0c18a3f1fdfb08910b5951c7b
-
SHA1
a09a567dab1860c16a729dbb947a5593827f8e9c
-
SHA256
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
-
SHA512
f37a763cf61183601c92888284e541a87764829e7bd69984c1b4713bd0810211820e3ee03c696ba765162ddc2c0e37f19203f67351a3a681b6daede561ac2144
-
CryptBot Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-