General
-
Target
67CD381D1702CB66CC450E13B1E8A27A3FF8C6713AF8A.exe
-
Size
2.7MB
-
Sample
220331-hj7k5sfgd4
-
MD5
c5abebc7ba2b70520f66640385b53a75
-
SHA1
e5784bbd7f392d26ee0f40c8b0c60563c0e81a44
-
SHA256
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
-
SHA512
82b189a6598b849f1c67267878942a3272bdc6ec70872c5f18cefb5eb9ee7543b8bb422d6eb66ac7a87f1e34cd16bf138d68441469f026f2586ed13113cab2ec
Static task
static1
Behavioral task
behavioral1
Sample
67CD381D1702CB66CC450E13B1E8A27A3FF8C6713AF8A.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
67CD381D1702CB66CC450E13B1E8A27A3FF8C6713AF8A.exe
Resource
win10v2004-20220310-en
Malware Config
Extracted
vidar
39.6
933
https://sslamlssa1.tumblr.com/
-
profile_id
933
Extracted
redline
193.106.191.253:4752
-
auth_value
ec8cbe4ac27e8d5a62e72c4281063258
Extracted
redline
@ywqmre
185.215.113.66:26416
-
auth_value
5aab3b27575b218cc78165f1b5c607a0
Extracted
redline
BOYSAC
45.9.88.246:22191
-
auth_value
f78eba48376b0dd1233e826415811981
Extracted
redline
Cana01
176.111.174.254:56328
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
warzonerat
108.170.60.184:5200
Targets
-
-
Target
67CD381D1702CB66CC450E13B1E8A27A3FF8C6713AF8A.exe
-
Size
2.7MB
-
MD5
c5abebc7ba2b70520f66640385b53a75
-
SHA1
e5784bbd7f392d26ee0f40c8b0c60563c0e81a44
-
SHA256
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
-
SHA512
82b189a6598b849f1c67267878942a3272bdc6ec70872c5f18cefb5eb9ee7543b8bb422d6eb66ac7a87f1e34cd16bf138d68441469f026f2586ed13113cab2ec
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Modify Registry
2Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Hidden Files and Directories
1