General
-
Target
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5
-
Size
279KB
-
Sample
220503-zb9h7sefen
-
MD5
feb4828a3899927cefbe713d09ce4602
-
SHA1
c45bfefa95d41f8f919f661183693fbd9f4f1571
-
SHA256
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5
-
SHA512
cbfe9a74dbb4371de2be1b04e872fb5650dfd7eabba96534f60b4519a7f9b8e7c1d5fecaa0f01583bbeafe7f4c3d862cfd6afa54b9329c4cc470f14f5bf09392
Static task
static1
Behavioral task
behavioral1
Sample
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5.exe
Resource
win10-20220414-en
Malware Config
Extracted
smokeloader
2020
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
Extracted
redline
MARIO01_04
176.122.23.55:32478
-
auth_value
ed0902db14986ce5710c8e3a2307dc2f
Extracted
vidar
52
937
https://t.me/hollandracing
https://busshi.moe/@ronxik321
-
profile_id
937
Extracted
redline
slovarik2
185.215.113.115:39325
-
auth_value
6521f196e626a6e5adbea705ca0f48e2
Targets
-
-
Target
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5
-
Size
279KB
-
MD5
feb4828a3899927cefbe713d09ce4602
-
SHA1
c45bfefa95d41f8f919f661183693fbd9f4f1571
-
SHA256
b9c23593d588f9d13dcfd5e5e180183a138d7c4253e0702cc4952a9f721996b5
-
SHA512
cbfe9a74dbb4371de2be1b04e872fb5650dfd7eabba96534f60b4519a7f9b8e7c1d5fecaa0f01583bbeafe7f4c3d862cfd6afa54b9329c4cc470f14f5bf09392
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
-
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
-
Vidar Stealer
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-