General
-
Target
Thu18b818b5afea12f2.exe
-
Size
729KB
-
Sample
211104-zrrnbsefhn
-
MD5
93147832f4525e82c2689696eb7181a3
-
SHA1
117e20a1c49a747790926aed5aa5df3fddf53176
-
SHA256
d2b9dc534706dae318f52ff894176f2cf187b5d71d53e24f9ad9ef74efac06dc
-
SHA512
47a44831f228fbe99466faa9345872e6fafcab27a6f8536410c440266357dbdceff8fc6cecc2445635281882139b3e6a5396a1c3a42f5e4958b159a466ec1adc
Static task
static1
Behavioral task
behavioral1
Sample
Thu18b818b5afea12f2.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Thu18b818b5afea12f2.exe
Resource
win10-en-20211014
Malware Config
Extracted
socelars
http://www.hhgenice.top/
Extracted
redline
udptest
193.56.146.64:65441
Extracted
redline
albert1488
138.124.186.108:11542
Extracted
redline
138.197.79.250:11642
Extracted
smokeloader
2020
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Extracted
vidar
47.9
937
https://mas.to/@kirpich
-
profile_id
937
Extracted
raccoon
8dec62c1db2959619dca43e02fa46ad7bd606400
-
url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar
Targets
-
-
Target
Thu18b818b5afea12f2.exe
-
Size
729KB
-
MD5
93147832f4525e82c2689696eb7181a3
-
SHA1
117e20a1c49a747790926aed5aa5df3fddf53176
-
SHA256
d2b9dc534706dae318f52ff894176f2cf187b5d71d53e24f9ad9ef74efac06dc
-
SHA512
47a44831f228fbe99466faa9345872e6fafcab27a6f8536410c440266357dbdceff8fc6cecc2445635281882139b3e6a5396a1c3a42f5e4958b159a466ec1adc
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Socelars Payload
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-