General
-
Target
a2b42362fc4bdaf4b259e757ebdcbe1e.exe
-
Size
230KB
-
Sample
220315-qe1k2adbgj
-
MD5
a2b42362fc4bdaf4b259e757ebdcbe1e
-
SHA1
bafc33956a5c5cbf797fdf4156bf6f0556c6af9e
-
SHA256
8119fad3b28a478680b211052a3af868e09be4cc9fd8af4d5fef720d522e22dc
-
SHA512
0cbfe046a7d6a8901b5f395b8e789f81437a81d602db80169ce985b5a120e7bec11e1e2169ca568461558e55b2f2a7a6a59a111a04e37aac168a44ce3d307b2e
Malware Config
Extracted
redline
da da
86.107.197.196:63065
-
auth_value
9b1654b30797c210c85bd0890936a5b9
Extracted
vidar
50.9
1177
https://ieji.de/@sam7al
https://busshi.moe/@sam0al
-
profile_id
1177
Extracted
vidar
50.9
937
https://ieji.de/@sam7al
https://busshi.moe/@sam0al
-
profile_id
937
Extracted
redline
ruz876
185.215.113.7:5186
-
auth_value
4750f6742a496bbe74a981d51e7680ad
Extracted
redline
ruzki14_03
176.122.23.55:11768
-
auth_value
13b742acfe493b01c5301781c98d3fbe
Extracted
redline
filinnn1
5.45.77.29:2495
-
auth_value
da347df57c88b125ede510dbe7fcc0f4
Extracted
redline
nam11
103.133.111.182:44839
-
auth_value
aa901213c47adf1c4bbe06384de2a9ab
Extracted
redline
GLO1503
144.76.173.68:16125
-
auth_value
3338ae9cd5608d5f60db27601c9ac727
Targets
-
-
Target
a2b42362fc4bdaf4b259e757ebdcbe1e.exe
-
Size
230KB
-
MD5
a2b42362fc4bdaf4b259e757ebdcbe1e
-
SHA1
bafc33956a5c5cbf797fdf4156bf6f0556c6af9e
-
SHA256
8119fad3b28a478680b211052a3af868e09be4cc9fd8af4d5fef720d522e22dc
-
SHA512
0cbfe046a7d6a8901b5f395b8e789f81437a81d602db80169ce985b5a120e7bec11e1e2169ca568461558e55b2f2a7a6a59a111a04e37aac168a44ce3d307b2e
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
OnlyLogger Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-