General
-
Target
fe42ba9d6980de10106ceed31a85b4c6bf257e12c695c3a26cda69e15054eaf5
-
Size
345KB
-
Sample
211022-nkf3gabee6
-
MD5
cfce91e3dc6771f21a6fa305f833e27e
-
SHA1
c9e8e53d489cf0402e43f5c241928f4d3d5bd470
-
SHA256
fe42ba9d6980de10106ceed31a85b4c6bf257e12c695c3a26cda69e15054eaf5
-
SHA512
0d60ab5e8e837d6c738ed83d2f3107829c54f9ff5535d5120e0c7f749cddbda843e4a4a025877a61897ceb7641418c9fcb1f594dec9c52f099d9a52aab07b237
Static task
static1
Malware Config
Extracted
smokeloader
2020
http://gejajoo7.top/
http://sysaheu9.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
Extracted
redline
MRFSW
65.21.194.86:2451
Extracted
vidar
41.5
706
https://mas.to/@xeroxxx
-
profile_id
706
Targets
-
-
Target
fe42ba9d6980de10106ceed31a85b4c6bf257e12c695c3a26cda69e15054eaf5
-
Size
345KB
-
MD5
cfce91e3dc6771f21a6fa305f833e27e
-
SHA1
c9e8e53d489cf0402e43f5c241928f4d3d5bd470
-
SHA256
fe42ba9d6980de10106ceed31a85b4c6bf257e12c695c3a26cda69e15054eaf5
-
SHA512
0d60ab5e8e837d6c738ed83d2f3107829c54f9ff5535d5120e0c7f749cddbda843e4a4a025877a61897ceb7641418c9fcb1f594dec9c52f099d9a52aab07b237
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-