General
-
Target
AB948F038175411DC326A1AAD83DF48D6B65632501551.exe
-
Size
1.9MB
-
Sample
211025-fre5rafeh4
-
MD5
0667ace8cf940d7d56d3aa7ed7fe87e2
-
SHA1
16a40ad88d0e8c93ed10e10ae423b8a0436dcbfd
-
SHA256
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
-
SHA512
01ba86a238552764e67820eb8e32de9b9951bab1a78d1ade40a20f756cffdbff2a260b4745545ccb075a6c5e0551f272d68adede05ad1f5764d8442ade70b356
Static task
static1
Behavioral task
behavioral1
Sample
AB948F038175411DC326A1AAD83DF48D6B65632501551.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
AB948F038175411DC326A1AAD83DF48D6B65632501551.exe
Resource
win10-en-20210920
Malware Config
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://xacokuo8.top/
http://hajezey1.top/
Extracted
raccoon
8dec62c1db2959619dca43e02fa46ad7bd606400
-
url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar
Extracted
vidar
41.5
937
https://mas.to/@xeroxxx
-
profile_id
937
Extracted
vidar
41.5
933
https://mas.to/@xeroxxx
-
profile_id
933
Targets
-
-
Target
AB948F038175411DC326A1AAD83DF48D6B65632501551.exe
-
Size
1.9MB
-
MD5
0667ace8cf940d7d56d3aa7ed7fe87e2
-
SHA1
16a40ad88d0e8c93ed10e10ae423b8a0436dcbfd
-
SHA256
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
-
SHA512
01ba86a238552764e67820eb8e32de9b9951bab1a78d1ade40a20f756cffdbff2a260b4745545ccb075a6c5e0551f272d68adede05ad1f5764d8442ade70b356
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-