redline

General

Target

c29979f640af8a742bc6c19069e1f798b99b83ee101520572c2c242bc429241f
Size

283KB
Sample

220621-nmtrcafec3
MD5

c49ecf6c2299f7f5a17a40768c167df9
SHA1

f7e37529ddc674eae51922db3294f0eee4b5e953
SHA256

c29979f640af8a742bc6c19069e1f798b99b83ee101520572c2c242bc429241f
SHA512

e06ccd7b052f550c905b283506c1240a6ab61b1fb8159a9a3d47a061ee0c9c18c0e4ec4481f3ab3331d1e15e6b9ea9d6616cb2184bcfe5d26dba22abe00e4e72

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

52.6

Botnet

1415

C2

https://t.me/tg_dailylessons

https://busshi.moe/@olegf9844xx

Attributes

profile_id
1415

Extracted

Family

redline

Botnet

USAeuTEST

C2

193.106.191.246:23196

Attributes

auth_value
7dbf5ba6d421c1b0e8ce8d5867af4537

Extracted

Family

redline

Botnet

mario2

C2

193.106.191.129:80

Attributes

auth_value
4ef7e3fec3a418b2f0233b604d0560d9

Targets

- Target
  
  c29979f640af8a742bc6c19069e1f798b99b83ee101520572c2c242bc429241f
- Size
  
  283KB
- MD5
  
  c49ecf6c2299f7f5a17a40768c167df9
- SHA1
  
  f7e37529ddc674eae51922db3294f0eee4b5e953
- SHA256
  
  c29979f640af8a742bc6c19069e1f798b99b83ee101520572c2c242bc429241f
- SHA512
  
  e06ccd7b052f550c905b283506c1240a6ab61b1fb8159a9a3d47a061ee0c9c18c0e4ec4481f3ab3331d1e15e6b9ea9d6616cb2184bcfe5d26dba22abe00e4e72
Score

10^/10

redline vidar 1415 mario2 usaeutest discovery infostealer spyware stealer suricata
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
  suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
  suricata
- suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
  suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1