General
-
Target
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
-
Size
3.9MB
-
Sample
210928-y5kaqsdaa9
-
MD5
1be0d2741eaac6804e24a7586b1086b0
-
SHA1
cdb330156b2063c6f259cb10a787463756798f7a
-
SHA256
071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9
-
SHA512
cc9352b0ace0a51cac07069adf33d98e548e6726e71bf4582dcb15c3d7b0a7806765ffc57f95511f1aeca798d7fbf44c08bc5ebe7bc13626b8b7bcd0df872f85
Static task
static1
Behavioral task
behavioral1
Sample
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Resource
win10-en-20210920
Malware Config
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
redline
pab4
185.215.113.15:61506
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Extracted
redline
7.5k_Z_BOGOM
195.133.18.154:30491
Targets
-
-
Target
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
-
Size
3.9MB
-
MD5
1be0d2741eaac6804e24a7586b1086b0
-
SHA1
cdb330156b2063c6f259cb10a787463756798f7a
-
SHA256
071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9
-
SHA512
cc9352b0ace0a51cac07069adf33d98e548e6726e71bf4582dcb15c3d7b0a7806765ffc57f95511f1aeca798d7fbf44c08bc5ebe7bc13626b8b7bcd0df872f85
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-