General
-
Target
74BAFD56C1FB3CDEBF0A63DE4FFB6F16DC1D5CEE38E11.exe
-
Size
5.5MB
-
Sample
211017-nc5qvsdddl
-
MD5
ca08876db58056ad35cadc2afeb89ab7
-
SHA1
e18efa556280140ff92048fa499d729aa4bce089
-
SHA256
74bafd56c1fb3cdebf0a63de4ffb6f16dc1d5cee38e11ab0d2bc2614538da65f
-
SHA512
c801c8019c911e2e298907fb5ac116d635e4a6b7227db7547908653f7cd680c0ebf71dba3660b8bbc87cfe3df4f8c6fbc332f11cb719466d5b311e7a721bfa27
Static task
static1
Behavioral task
behavioral1
Sample
74BAFD56C1FB3CDEBF0A63DE4FFB6F16DC1D5CEE38E11.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
74BAFD56C1FB3CDEBF0A63DE4FFB6F16DC1D5CEE38E11.exe
Resource
win10-en-20211014
Malware Config
Extracted
vidar
40.3
706
https://lenko349.tumblr.com/
-
profile_id
706
Extracted
redline
pab777
185.215.113.15:6043
Extracted
vidar
41.4
937
https://mas.to/@sslam
-
profile_id
937
Targets
-
-
Target
74BAFD56C1FB3CDEBF0A63DE4FFB6F16DC1D5CEE38E11.exe
-
Size
5.5MB
-
MD5
ca08876db58056ad35cadc2afeb89ab7
-
SHA1
e18efa556280140ff92048fa499d729aa4bce089
-
SHA256
74bafd56c1fb3cdebf0a63de4ffb6f16dc1d5cee38e11ab0d2bc2614538da65f
-
SHA512
c801c8019c911e2e298907fb5ac116d635e4a6b7227db7547908653f7cd680c0ebf71dba3660b8bbc87cfe3df4f8c6fbc332f11cb719466d5b311e7a721bfa27
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-