redline

General

Target

bf538393e403f0da6f7aea34163fb26a6bb11dde34c632cfd639c1e24e085204
Size

4.0MB
Sample

220314-sw1ngabbam
MD5

d476eb927e028f4455f4cfbb338e9f91
SHA1

fe8d7691c8df423e7b8ea0942c04eae8d775f1c4
SHA256

bf538393e403f0da6f7aea34163fb26a6bb11dde34c632cfd639c1e24e085204
SHA512

f2ee9e5347c3b225a85fbd7cbb1cad4488557e1281197172dbffbba22c85e82f3fc2004f72fe6de6d5d26e1b56ba6e594313b002143e208ef4d234667f54fdac

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

OLKani

C2

ataninamei.xyz:80

Extracted

Family

vidar

Version

39.9

Botnet

706

C2

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

da da

C2

86.107.197.196:63065

Attributes

auth_value
9b1654b30797c210c85bd0890936a5b9

Targets

- Target
  
  bf538393e403f0da6f7aea34163fb26a6bb11dde34c632cfd639c1e24e085204
- Size
  
  4.0MB
- MD5
  
  d476eb927e028f4455f4cfbb338e9f91
- SHA1
  
  fe8d7691c8df423e7b8ea0942c04eae8d775f1c4
- SHA256
  
  bf538393e403f0da6f7aea34163fb26a6bb11dde34c632cfd639c1e24e085204
- SHA512
  
  f2ee9e5347c3b225a85fbd7cbb1cad4488557e1281197172dbffbba22c85e82f3fc2004f72fe6de6d5d26e1b56ba6e594313b002143e208ef4d234667f54fdac
Score

10^/10

redline smokeloader tofsee vidar 706 da da olkani aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2