General
-
Target
f9f889a935bbe1a2486683b9d11ba65eb0e1f835d21869edf61c4bc82dea5047
-
Size
3.3MB
-
Sample
220315-rhl3gsagdn
-
MD5
fbff7d5caff405cbe71cbff3e78e4810
-
SHA1
833c6d74b98ba452f1e508ddf833ff79b36e9631
-
SHA256
f9f889a935bbe1a2486683b9d11ba65eb0e1f835d21869edf61c4bc82dea5047
-
SHA512
4c0872e042aa12a672fbd079c1c54c787f41cff8b9f140cfbaed0f01bd691df2698581252e8eb6b791ece43e5c356470e073f452912a54634e6f1154c51f84ae
Static task
static1
Behavioral task
behavioral1
Sample
f9f889a935bbe1a2486683b9d11ba65eb0e1f835d21869edf61c4bc82dea5047.exe
Resource
win7-20220311-en
Malware Config
Extracted
redline
AniOLD
liezaphare.xyz:80
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
vidar
39.8
706
https://xeronxikxxx.tumblr.com/
-
profile_id
706
Targets
-
-
Target
f9f889a935bbe1a2486683b9d11ba65eb0e1f835d21869edf61c4bc82dea5047
-
Size
3.3MB
-
MD5
fbff7d5caff405cbe71cbff3e78e4810
-
SHA1
833c6d74b98ba452f1e508ddf833ff79b36e9631
-
SHA256
f9f889a935bbe1a2486683b9d11ba65eb0e1f835d21869edf61c4bc82dea5047
-
SHA512
4c0872e042aa12a672fbd079c1c54c787f41cff8b9f140cfbaed0f01bd691df2698581252e8eb6b791ece43e5c356470e073f452912a54634e6f1154c51f84ae
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Vidar Stealer
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-