General
-
Target
34e36e640492423d55b80bd5ac3ddb77b6b9e87c.exe
-
Size
631KB
-
Sample
211003-3pesjafff6
-
MD5
94f06bfbb349287c89ccc92ac575123f
-
SHA1
34e36e640492423d55b80bd5ac3ddb77b6b9e87c
-
SHA256
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
-
SHA512
c8a5362f9a35737ac04b6e0c48371aa60e64adf1157e16191691ac4dccb8dbaac261b516ebb89fc84ba741616ea1ca888a4a180ef2cf89ca04ebdc7768ea0fbb
Static task
static1
Behavioral task
behavioral1
Sample
34e36e640492423d55b80bd5ac3ddb77b6b9e87c.exe
Resource
win7-en-20210920
Malware Config
Extracted
vidar
41.1
937
https://mas.to/@bardak1ho
-
profile_id
937
Extracted
smokeloader
2020
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Extracted
raccoon
�u"jHI�G �˴��syP���@��Nk6"a�b�g�=�(�
-
url4cnc
�cb{K^�WXP�۸��fB:O�ѯDɭ:0s&�4�l�x�d��f d&Hc����.��L��m�|�_V� ����j�V��L:鴚�٧�^�Ig
Extracted
redline
195.2.93.217:59309
Targets
-
-
Target
34e36e640492423d55b80bd5ac3ddb77b6b9e87c.exe
-
Size
631KB
-
MD5
94f06bfbb349287c89ccc92ac575123f
-
SHA1
34e36e640492423d55b80bd5ac3ddb77b6b9e87c
-
SHA256
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
-
SHA512
c8a5362f9a35737ac04b6e0c48371aa60e64adf1157e16191691ac4dccb8dbaac261b516ebb89fc84ba741616ea1ca888a4a180ef2cf89ca04ebdc7768ea0fbb
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-