General
-
Target
7ac8281e531201eaee1a85dd4aa0cdb05c1569e2a72becbcdee2e2ca9e7210d9
-
Size
3.2MB
-
Sample
220312-y83w9aagc4
-
MD5
152253b9d8b76c6ebc0595e268272502
-
SHA1
51a5b3828eae7f40e92dcd5a58e6f574a0c3463b
-
SHA256
7ac8281e531201eaee1a85dd4aa0cdb05c1569e2a72becbcdee2e2ca9e7210d9
-
SHA512
938cfd95a8d775f868f4b2e4ddd954a34adf3e23ef4a19edac137c610fd14eba1333b18dd1eb87b575f82a35cdb00b52d4873d6577ab1954d90f083962cf73cc
Static task
static1
Behavioral task
behavioral1
Sample
7ac8281e531201eaee1a85dd4aa0cdb05c1569e2a72becbcdee2e2ca9e7210d9.exe
Resource
win7-20220311-en
Malware Config
Extracted
redline
NCanal01
pupdatastart.tech:80
pupdatastart.xyz:80
pupdatastar.store:80
Extracted
vidar
39.3
706
https://bandakere.tumblr.com/
-
profile_id
706
Extracted
redline
Ani
yaklalau.xyz:80
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Targets
-
-
Target
7ac8281e531201eaee1a85dd4aa0cdb05c1569e2a72becbcdee2e2ca9e7210d9
-
Size
3.2MB
-
MD5
152253b9d8b76c6ebc0595e268272502
-
SHA1
51a5b3828eae7f40e92dcd5a58e6f574a0c3463b
-
SHA256
7ac8281e531201eaee1a85dd4aa0cdb05c1569e2a72becbcdee2e2ca9e7210d9
-
SHA512
938cfd95a8d775f868f4b2e4ddd954a34adf3e23ef4a19edac137c610fd14eba1333b18dd1eb87b575f82a35cdb00b52d4873d6577ab1954d90f083962cf73cc
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar Stealer
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-