General
-
Target
F2F9785308BB396F5EB8C14E746228D3298A5984313EF.exe
-
Size
3.5MB
-
Sample
210930-21tv6aaeb8
-
MD5
0bea974fca09703496dcca41ce759790
-
SHA1
1451af5014e01196929bd17191f929799e31eed6
-
SHA256
f2f9785308bb396f5eb8c14e746228d3298a5984313eff79e0bb0b2f417abefc
-
SHA512
00a038eeeb47df52a5eac926a5b22c80726f7a9c31299afcfc38e3ad26811e1feb25bd42227845d9777f585b97e3f6e8e1b82897895361dfe94c5bb9beb586f8
Static task
static1
Behavioral task
behavioral1
Sample
F2F9785308BB396F5EB8C14E746228D3298A5984313EF.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
F2F9785308BB396F5EB8C14E746228D3298A5984313EF.exe
Resource
win10v20210408
Malware Config
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
redline
pub2
185.92.73.84:80
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
vidar
41.1
1028
https://mas.to/@bardak1ho
-
profile_id
1028
Extracted
raccoon
6b473ae90575e46165b57807704d00b90b7f6fb2
-
url4cnc
http://teletop.top/viv0ramadium0,http://teleta.top/viv0ramadium0,https://t.me/viv0ramadium0
Targets
-
-
Target
F2F9785308BB396F5EB8C14E746228D3298A5984313EF.exe
-
Size
3.5MB
-
MD5
0bea974fca09703496dcca41ce759790
-
SHA1
1451af5014e01196929bd17191f929799e31eed6
-
SHA256
f2f9785308bb396f5eb8c14e746228d3298a5984313eff79e0bb0b2f417abefc
-
SHA512
00a038eeeb47df52a5eac926a5b22c80726f7a9c31299afcfc38e3ad26811e1feb25bd42227845d9777f585b97e3f6e8e1b82897895361dfe94c5bb9beb586f8
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-