General
-
Target
65341B1F7F4018E163E564B546012D5BFA41A70C9B992.exe
-
Size
3.3MB
-
Sample
220816-r5ayqsacbr
-
MD5
a4506dad7f03d4ee8a127d128f0ca712
-
SHA1
f8eb247e6befb3189b03b8aab9bb9bec72bc80a8
-
SHA256
65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3
-
SHA512
6bdcf3efd2ad40b49ec6a900db310cfc9e2ab31b0fcf3a61cfc95a509ad8d53246716a31c276c68f6185b9f5761b8ec378493e6b695cab21e6c5a6f06940180d
-
SSDEEP
49152:xcB3tvx0sDcrJJG7pVcmgbdLWXHZsdtrkZkfqrQsaQHkpemkXbEwJ84vLRaBtIlR:xdscsumgB8ZOrRCR9HSx6wCvLUBsKGEy
Static task
static1
Behavioral task
behavioral1
Sample
65341B1F7F4018E163E564B546012D5BFA41A70C9B992.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
65341B1F7F4018E163E564B546012D5BFA41A70C9B992.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
vidar
39.8
706
https://xeronxikxxx.tumblr.com/
-
profile_id
706
Extracted
redline
AniOLD
liezaphare.xyz:80
Extracted
nymaim
208.67.104.9
212.192.241.16
Extracted
redline
LogsDiller Cloud (Sup: @mr_golds)
193.233.193.14:8163
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Extracted
redline
nam6.1
103.89.90.61:34589
-
auth_value
b5784d2217d2fd4ce7dab9bdb9fcaa62
Extracted
redline
Ruzki
109.107.180.76:37989
-
auth_value
4ce4f90f66dc8b148654ee82ae4463a5
Targets
-
-
Target
65341B1F7F4018E163E564B546012D5BFA41A70C9B992.exe
-
Size
3.3MB
-
MD5
a4506dad7f03d4ee8a127d128f0ca712
-
SHA1
f8eb247e6befb3189b03b8aab9bb9bec72bc80a8
-
SHA256
65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3
-
SHA512
6bdcf3efd2ad40b49ec6a900db310cfc9e2ab31b0fcf3a61cfc95a509ad8d53246716a31c276c68f6185b9f5761b8ec378493e6b695cab21e6c5a6f06940180d
-
SSDEEP
49152:xcB3tvx0sDcrJJG7pVcmgbdLWXHZsdtrkZkfqrQsaQHkpemkXbEwJ84vLRaBtIlR:xdscsumgB8ZOrRCR9HSx6wCvLUBsKGEy
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Nirsoft
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-