General
-
Target
3153CAF54366C0DDEDDD293791B8F05EABD7343D9A73C.exe
-
Size
2.1MB
-
Sample
210930-ztvsrsadg3
-
MD5
13592ce3f7f5f21e127824988baedd53
-
SHA1
165426682d216a39f0dd9c6307567376d3747615
-
SHA256
3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
-
SHA512
881067a635b0d4849d0b331a23630f4a277ff9e57791a0bd539ef32b955bf14a01ed739cf71e41cbab7a951be5f623ea61cd354adb8bd500fd30db56b7785fbe
Static task
static1
Behavioral task
behavioral1
Sample
3153CAF54366C0DDEDDD293791B8F05EABD7343D9A73C.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
3153CAF54366C0DDEDDD293791B8F05EABD7343D9A73C.exe
Resource
win10v20210408
Malware Config
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
redline
test1
185.215.113.15:61506
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
Extracted
vidar
41.1
1028
https://mas.to/@bardak1ho
-
profile_id
1028
Extracted
redline
30.09
195.133.18.5:45269
Extracted
vidar
41.1
937
https://mas.to/@bardak1ho
-
profile_id
937
Extracted
raccoon
6b473ae90575e46165b57807704d00b90b7f6fb2
-
url4cnc
http://teletop.top/viv0ramadium0,http://teleta.top/viv0ramadium0,https://t.me/viv0ramadium0
Targets
-
-
Target
3153CAF54366C0DDEDDD293791B8F05EABD7343D9A73C.exe
-
Size
2.1MB
-
MD5
13592ce3f7f5f21e127824988baedd53
-
SHA1
165426682d216a39f0dd9c6307567376d3747615
-
SHA256
3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
-
SHA512
881067a635b0d4849d0b331a23630f4a277ff9e57791a0bd539ef32b955bf14a01ed739cf71e41cbab7a951be5f623ea61cd354adb8bd500fd30db56b7785fbe
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-