redline

General

Target

Software-update-patc_579570356.sfx.exe
Size

28.5MB
Sample

211021-qbjs4sacg9
MD5

b64a9d5a67665275d9cbb1d320f1361a
SHA1

3935a3994cb12a69ece3517a63eb35820761feaf
SHA256

28b8658e761beebef9578a13e60f231b7bd5af81107210c06ac108276e9447b9
SHA512

261b47e9218c1531b31ea4ba9a7aa89d5a28b7f0c4c8e4b8196acec7cbd107b31c169eb2fdcde324eeb5e8427298508d39260da82026125c199b2d146cf71d37

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

223

C2

https://mas.to/@xeroxxx

Attributes

profile_id
223

Targets

- Target
  
  Software-update-patc_579570356.sfx.exe
- Size
  
  28.5MB
- MD5
  
  b64a9d5a67665275d9cbb1d320f1361a
- SHA1
  
  3935a3994cb12a69ece3517a63eb35820761feaf
- SHA256
  
  28b8658e761beebef9578a13e60f231b7bd5af81107210c06ac108276e9447b9
- SHA512
  
  261b47e9218c1531b31ea4ba9a7aa89d5a28b7f0c4c8e4b8196acec7cbd107b31c169eb2fdcde324eeb5e8427298508d39260da82026125c199b2d146cf71d37
Score

10^/10

redline vidar 223 discovery evasion infostealer persistence spyware stealer trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Registers COM server for autorun
  persistence
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1