redline

General

Target

75860e56291a807f0fbd1efc06da5160dbbe7e80f2dffaead60cfd69b5a6e9d0
Size

286KB
Sample

220621-abss1sgbh8
MD5

a8cdb12c187b404169b233c15fd1304e
SHA1

0032e7409837d49406786d074df654067a8708e4
SHA256

75860e56291a807f0fbd1efc06da5160dbbe7e80f2dffaead60cfd69b5a6e9d0
SHA512

4fd90dd9cc23a38358e77eadd462693dc499af5c6ccec2e913aa7dd32fa29c4533772099625d958f6bcc301b88ca97e3174b6c8f79459443ca28919b30248d6f

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

52.6

Botnet

1415

C2

https://t.me/tg_dailylessons

https://busshi.moe/@olegf9844xx

Attributes

profile_id
1415

Extracted

Family

redline

Botnet

USAeuTEST

C2

193.106.191.246:23196

Attributes

auth_value
7dbf5ba6d421c1b0e8ce8d5867af4537

Extracted

Family

redline

Botnet

mario2

C2

193.106.191.129:80

Attributes

auth_value
4ef7e3fec3a418b2f0233b604d0560d9

Targets

- Target
  
  75860e56291a807f0fbd1efc06da5160dbbe7e80f2dffaead60cfd69b5a6e9d0
- Size
  
  286KB
- MD5
  
  a8cdb12c187b404169b233c15fd1304e
- SHA1
  
  0032e7409837d49406786d074df654067a8708e4
- SHA256
  
  75860e56291a807f0fbd1efc06da5160dbbe7e80f2dffaead60cfd69b5a6e9d0
- SHA512
  
  4fd90dd9cc23a38358e77eadd462693dc499af5c6ccec2e913aa7dd32fa29c4533772099625d958f6bcc301b88ca97e3174b6c8f79459443ca28919b30248d6f
Score

10^/10

redline vidar 1415 mario2 usaeutest collection discovery infostealer spyware stealer suricata
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
  suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
  suricata
- suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
  suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1