General
-
Target
AC8CF25A55659954E3C2BDF2A3B53115F139BE50F049A.exe
-
Size
3.1MB
-
Sample
211005-ld7kqsheg2
-
MD5
9fcb4d89d7756b915028d95b3b14d6dd
-
SHA1
df9bd6bbf5d1662f69e97a472ca484c9eb4cac3f
-
SHA256
ac8cf25a55659954e3c2bdf2a3b53115f139be50f049a424015ab28232aea09e
-
SHA512
8ccb329c1b94723fd346bee2d95953764f090d58b88660ec273be507d960582d3c2daf0bbc379468487de0dd89de987798cc7cbad97c86001b9254cce333a829
Static task
static1
Behavioral task
behavioral1
Sample
AC8CF25A55659954E3C2BDF2A3B53115F139BE50F049A.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
AC8CF25A55659954E3C2BDF2A3B53115F139BE50F049A.exe
Resource
win10-en-20210920
Malware Config
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com/
-
profile_id
706
Extracted
redline
DomAni2
flestriche.xyz:80
Extracted
smokeloader
2020
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Extracted
redline
22
185.244.217.195:21588
Extracted
raccoon
1.8.2
ee26c90dee713d612f197e15111bd20545528a48
-
url4cnc
http://teletop.top/useinboldt
http://teleta.top/useinboldt
https://t.me/useinboldt
Targets
-
-
Target
AC8CF25A55659954E3C2BDF2A3B53115F139BE50F049A.exe
-
Size
3.1MB
-
MD5
9fcb4d89d7756b915028d95b3b14d6dd
-
SHA1
df9bd6bbf5d1662f69e97a472ca484c9eb4cac3f
-
SHA256
ac8cf25a55659954e3c2bdf2a3b53115f139be50f049a424015ab28232aea09e
-
SHA512
8ccb329c1b94723fd346bee2d95953764f090d58b88660ec273be507d960582d3c2daf0bbc379468487de0dd89de987798cc7cbad97c86001b9254cce333a829
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Arkei Stealer Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-