General
-
Target
c56dd90eb27de4ab9076d3548eee9f3871ab2144c1c9e660190924b8624ccbec
-
Size
3.1MB
-
Sample
220314-qzk13shhfm
-
MD5
c30daf8cf0d6f78e07a97fef36466de1
-
SHA1
82bb42635867060ba0293e0fbefb312ca505e364
-
SHA256
c56dd90eb27de4ab9076d3548eee9f3871ab2144c1c9e660190924b8624ccbec
-
SHA512
86fa74fed6589f84d8826fdd72d9e5a44010a6ba50b6164dfe60c5f44dcf016f33b87dcf551ad9bb18df71ba458f53e46967eb4e06b9653d31b29b9a52a7b776
Static task
static1
Malware Config
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Extracted
vidar
50.7
1177
https://ruhr.social/@sam9al
https://koyu.space/@samsa2l
-
profile_id
1177
Extracted
redline
DomAni2
flestriche.xyz:80
Targets
-
-
Target
c56dd90eb27de4ab9076d3548eee9f3871ab2144c1c9e660190924b8624ccbec
-
Size
3.1MB
-
MD5
c30daf8cf0d6f78e07a97fef36466de1
-
SHA1
82bb42635867060ba0293e0fbefb312ca505e364
-
SHA256
c56dd90eb27de4ab9076d3548eee9f3871ab2144c1c9e660190924b8624ccbec
-
SHA512
86fa74fed6589f84d8826fdd72d9e5a44010a6ba50b6164dfe60c5f44dcf016f33b87dcf551ad9bb18df71ba458f53e46967eb4e06b9653d31b29b9a52a7b776
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
OnlyLogger Payload
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-