General
-
Target
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3.bin
-
Size
403KB
-
Sample
211021-v9bydabdhp
-
MD5
d1b2c8ddca2f8dd02e2c132153055084
-
SHA1
21c011ac7406eef048c175f5887e4eb885c050d6
-
SHA256
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3
-
SHA512
ab73df911df41235159341cc8fefed284a3f9720f241b51dfe2db2ac415b3438d5fbbeacfa980a61d402edc64afeda87447ccda49b7d279fba524036e9287594
Static task
static1
Behavioral task
behavioral1
Sample
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3.bin.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3.bin.exe
Resource
win10-en-20211014
Malware Config
Extracted
redline
205.185.119.191:60857
Extracted
redline
jjfuck
135.181.129.119:4805
Extracted
smokeloader
2020
http://gejajoo7.top/
http://sysaheu9.top/
Extracted
raccoon
7c9b4504a63ed23664e38808e65948379b790395
-
url4cnc
http://telegka.top/capibar
http://telegin.top/capibar
https://t.me/capibar
Extracted
vidar
41.5
937
https://mas.to/@xeroxxx
-
profile_id
937
Targets
-
-
Target
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3.bin
-
Size
403KB
-
MD5
d1b2c8ddca2f8dd02e2c132153055084
-
SHA1
21c011ac7406eef048c175f5887e4eb885c050d6
-
SHA256
506c2f513d64242fcb20ccff8c26c0ed1755fe9120b984c29ba224b311d635c3
-
SHA512
ab73df911df41235159341cc8fefed284a3f9720f241b51dfe2db2ac415b3438d5fbbeacfa980a61d402edc64afeda87447ccda49b7d279fba524036e9287594
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-