redline

General

Target

7470796127.zip
Size

2.5MB
Sample

220520-n3y11abbg5
MD5

c71a2a91e5f839bb780148cda726fae2
SHA1

e8aba7f1ddcc3aee078384b9ce669b079363f752
SHA256

bc216a74104d2769435504e1ebcb968824510db1ce1a761052625bd8beb148dd
SHA512

0f49cb1259c0fb34a9e4a749206927d8934070f31726a719fd67fe37b62019f1d1bb1a9678ac3ae9e12dcc956fc7e33d196881e39b0cf3f3dfadaa583646c0ea

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

leo5

C2

cenyeyalory.xyz:80

kaiaiannial.xyz:80

viasanainah.xyz:80

xtelstasiup.xyz:80

Attributes

auth_value
be820120fdc25e4fee4cd33b669b3e2c

Extracted

Family

vidar

Version

52.1

Botnet

1281

C2

https://t.me/verstappenf1r

Attributes

profile_id
1281

Targets

- Target
  
  setup/AISetup-Crack.exe
- Size
  
  346.0MB
- MD5
  
  90ef61d984f55737294d927f72496891
- SHA1
  
  565881a9d1583474f6323b9fa5abb03055264965
- SHA256
  
  d0c043510a0cb5f5c3d0812f2e7f961be85f538ef7f8ed1be70c85e0cf20f3a6
- SHA512
  
  608148ee5e611bb65931f64d86fc2ae8f432dc1fa91763b3680ea5f46f44f1000d5a24e7cc7fd85737729ad64f2bb88f07e537a4d641e26220089829fccd057e
Score

10^/10

redline leo5 infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  setup/Pre-Activated-Setup.exe
- Size
  
  347.3MB
- MD5
  
  6c61d27cdd0a9c8750a92021990fbc19
- SHA1
  
  7f6fdf0db122195d4737f5ca85e292e0f10fbccd
- SHA256
  
  8195c3e7fde033b97d9a99d642e841a4d78e4610a2e2867e303d8bd4baa6eac2
- SHA512
  
  685a7bfb68072cb4f59c9137b6910f75da31401a6bbf915ddd2217400d367473b325b0c36f2705219363ebab9fcc8b0cbaed6839c2dcd403e1ee70eb31bd96f4
Score

10^/10

vidar 1281 spyware stealer suricata
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
  suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
  suricata
- Vidar Stealer
  stealer
- Loads dropped DLL
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

RedLine Payload

Suspicious use of SetThreadContext

Vidar

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Vidar Stealer

Loads dropped DLL

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4