General
-
Target
63e94f064a262fba97797b1ac7f011dde6a270e575f1a57fc7bc9cc297365603
-
Size
3.6MB
-
Sample
220310-qbejdsaahk
-
MD5
ff81273c7c4e48c6d51ae2465e621c03
-
SHA1
fb045d029ee392c0722a41f75f1186eff41285fe
-
SHA256
63e94f064a262fba97797b1ac7f011dde6a270e575f1a57fc7bc9cc297365603
-
SHA512
a35bf1a1f04183c066f3cf56e9fdce2948782db509e2f0d50838e5e86030daa0f71fa4a417a657b43d26ec52e4c947ee19a502e843b1cd483a200e8336ae5d0c
Static task
static1
Behavioral task
behavioral1
Sample
63e94f064a262fba97797b1ac7f011dde6a270e575f1a57fc7bc9cc297365603.exe
Resource
win7-20220223-en
Malware Config
Extracted
redline
NCanal01
pupdatastart.tech:80
pupdatastart.xyz:80
pupdatastar.store:80
Extracted
vidar
39.3
706
https://bandakere.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Extracted
redline
Ani
yaklalau.xyz:80
Targets
-
-
Target
63e94f064a262fba97797b1ac7f011dde6a270e575f1a57fc7bc9cc297365603
-
Size
3.6MB
-
MD5
ff81273c7c4e48c6d51ae2465e621c03
-
SHA1
fb045d029ee392c0722a41f75f1186eff41285fe
-
SHA256
63e94f064a262fba97797b1ac7f011dde6a270e575f1a57fc7bc9cc297365603
-
SHA512
a35bf1a1f04183c066f3cf56e9fdce2948782db509e2f0d50838e5e86030daa0f71fa4a417a657b43d26ec52e4c947ee19a502e843b1cd483a200e8336ae5d0c
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar Stealer
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-