redline | 42af13bbcc6d3ce213d165f1587104d2b10818f4da513554d6299ebf5db5ce58 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

42af13bbcc6d3ce213d165f1587104d2b10818f4da513554d6299ebf5db5ce58
Size

1.4MB
Sample

220725-vqjtwabhcn
MD5

e9432eb74095c5c320db480ddb94634f
SHA1

1f2c4520fa6c8fdc681b43b5534dbb2188a29718
SHA256

42af13bbcc6d3ce213d165f1587104d2b10818f4da513554d6299ebf5db5ce58
SHA512

15256f2ca42b4f47783fc60c8317b7789dee8ca69052fa1a515ec77acacf5f30ae21f3ea5483d96c91224e23f4affef61389db374f66f0fa322e09297bcb816f

Score

10^/10

redline vidar 1455 4 @tag12312341 nam3 discovery infostealer persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

42af13bbcc6d3ce213d165f1587104d2b10818f4da513554d6299ebf5db5ce58.exe

Resource

win10v2004-20220721-en

redline vidar 1455 4 @tag12312341 nam3 discovery infostealer persistence spyware stealer

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

4

C2

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

C2

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

vidar

Version

53.3

Botnet

1455

C2

https://t.me/proabudabi

Attributes

profile_id
1455

Targets

- Target
  
  42af13bbcc6d3ce213d165f1587104d2b10818f4da513554d6299ebf5db5ce58
- Size
  
  1.4MB
- MD5
  
  e9432eb74095c5c320db480ddb94634f
- SHA1
  
  1f2c4520fa6c8fdc681b43b5534dbb2188a29718
- SHA256
  
  42af13bbcc6d3ce213d165f1587104d2b10818f4da513554d6299ebf5db5ce58
- SHA512
  
  15256f2ca42b4f47783fc60c8317b7789dee8ca69052fa1a515ec77acacf5f30ae21f3ea5483d96c91224e23f4affef61389db374f66f0fa322e09297bcb816f
Score

10^/10

redline vidar 1455 4 @tag12312341 nam3 discovery infostealer persistence spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

redlinevidar14554@tag12312341nam3discoveryinfostealerpersistencespywarestealer

© 2018-2024

Terms | Privacy