General
-
Target
20F43079CF75825C5E909B04F3C0B8BDB2F71BE7477FB.exe
-
Size
3.9MB
-
Sample
211001-bq89zsaeg9
-
MD5
9b4c66a8f89b5784c7aba7502b65338d
-
SHA1
7848450e3928aeb0caa86972f588c509d679ece7
-
SHA256
20f43079cf75825c5e909b04f3c0b8bdb2f71be7477fb3f12e85fb58dd8b77e9
-
SHA512
8b1d083c0d100df90fcd48a50c7752981a7bc2c0939915ce5d0359e776f1785bf366d5b657e375c881872e007e3b9ac3aedf615c627f140f587e1cdfa7b9955c
Static task
static1
Behavioral task
behavioral1
Sample
20F43079CF75825C5E909B04F3C0B8BDB2F71BE7477FB.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
20F43079CF75825C5E909B04F3C0B8BDB2F71BE7477FB.exe
Resource
win10-en-20210920
Malware Config
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
redline
pab3
185.215.113.15:61506
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
vidar
41.1
1028
https://mas.to/@bardak1ho
-
profile_id
1028
Targets
-
-
Target
20F43079CF75825C5E909B04F3C0B8BDB2F71BE7477FB.exe
-
Size
3.9MB
-
MD5
9b4c66a8f89b5784c7aba7502b65338d
-
SHA1
7848450e3928aeb0caa86972f588c509d679ece7
-
SHA256
20f43079cf75825c5e909b04f3c0b8bdb2f71be7477fb3f12e85fb58dd8b77e9
-
SHA512
8b1d083c0d100df90fcd48a50c7752981a7bc2c0939915ce5d0359e776f1785bf366d5b657e375c881872e007e3b9ac3aedf615c627f140f587e1cdfa7b9955c
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-