General
-
Target
Setup.exe
-
Size
523KB
-
Sample
211020-v4vtashdd3
-
MD5
329acf4d6a5e735c1fd3b3fc6c77d3f3
-
SHA1
932598a6dbd5eaa0bd7b2aabd16f9c5fab62d960
-
SHA256
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
-
SHA512
1c4b78f03238bd6e01abd14794c78ab5a27daf32c6a7237e814740f81c5892f4353f1145c71ad4fd1c57f5675a2281645de3fa437d78c05d5cc24c02f41cf4b5
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10-en-20210920
Malware Config
Extracted
vidar
41.5
937
https://mas.to/@xeroxxx
-
profile_id
937
Extracted
raccoon
7c9b4504a63ed23664e38808e65948379b790395
-
url4cnc
http://telegka.top/capibar
http://telegin.top/capibar
https://t.me/capibar
Extracted
vidar
41.5
1028
https://mas.to/@xeroxxx
-
profile_id
1028
Extracted
redline
205.185.119.191:60857
Extracted
smokeloader
2020
http://gejajoo7.top/
http://sysaheu9.top/
Targets
-
-
Target
Setup.exe
-
Size
523KB
-
MD5
329acf4d6a5e735c1fd3b3fc6c77d3f3
-
SHA1
932598a6dbd5eaa0bd7b2aabd16f9c5fab62d960
-
SHA256
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
-
SHA512
1c4b78f03238bd6e01abd14794c78ab5a27daf32c6a7237e814740f81c5892f4353f1145c71ad4fd1c57f5675a2281645de3fa437d78c05d5cc24c02f41cf4b5
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-