General
-
Target
37B2718705E2CDCBE38E2E27173BA95467B68D45187A2.exe
-
Size
3.6MB
-
Sample
211001-dmrxmsaff5
-
MD5
5abf967f514466318c8786cd77a4e280
-
SHA1
20e2085654b061df7aa6379c086b1242f8793d13
-
SHA256
37b2718705e2cdcbe38e2e27173ba95467b68d45187a25e5bd8114b5b2c182aa
-
SHA512
4ecac66172b208e3ae822e4acc5c3c38e9a01d36a4c7b87e3e542c5770b32c64915ffe85fd4b693eb7f1f249b21fe2317b1f9a1d3a4f7b0331cef581f18cc92d
Static task
static1
Behavioral task
behavioral1
Sample
37B2718705E2CDCBE38E2E27173BA95467B68D45187A2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
37B2718705E2CDCBE38E2E27173BA95467B68D45187A2.exe
Resource
win10v20210408
Malware Config
Extracted
vidar
39.9
706
https://prophefliloc.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
Extracted
redline
ANINEWONE
zisiarenal.xyz:80
Extracted
vidar
41.1
1028
https://mas.to/@bardak1ho
-
profile_id
1028
Extracted
vidar
41.1
937
https://mas.to/@bardak1ho
-
profile_id
937
Extracted
raccoon
6b473ae90575e46165b57807704d00b90b7f6fb2
-
url4cnc
http://teletop.top/viv0ramadium0,http://teleta.top/viv0ramadium0,https://t.me/viv0ramadium0
Targets
-
-
Target
37B2718705E2CDCBE38E2E27173BA95467B68D45187A2.exe
-
Size
3.6MB
-
MD5
5abf967f514466318c8786cd77a4e280
-
SHA1
20e2085654b061df7aa6379c086b1242f8793d13
-
SHA256
37b2718705e2cdcbe38e2e27173ba95467b68d45187a25e5bd8114b5b2c182aa
-
SHA512
4ecac66172b208e3ae822e4acc5c3c38e9a01d36a4c7b87e3e542c5770b32c64915ffe85fd4b693eb7f1f249b21fe2317b1f9a1d3a4f7b0331cef581f18cc92d
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-