Extracted

Extracted

Extracted

• • Target

    file.exe

  • Size

    11.0MB

  • MD5

    c66dd75502e3ded2bf8eb4e76c38fec5

  • SHA1

    8b0a45af4401e699e80027f850e085614147229f

  • SHA256

    2f09cfd635e40f7548f68635b756eb1d1e15e15bfaab596b612e5a4463c04cb2

  • SHA512

    28cc2fcbb1523c03512786f6b060fe8aeed5e13150c775ec607c6d50e5707e1a9bdf30bb75081b87f118488f9f8ebc35ecea4042b093a7251a0b73e2edb45a05

  • SSDEEP

    196608:/MT19VKUbMT11pK2vMT1lMKieWeEAkVePGfAkuePnmxH4oGr57oJCs77rOzIh/Qs:qJ

  Score

  10^/10

  redlinevidar1680lyla.22.09sep16as1discoveryinfostealerminerpersistencespywarestealervmprotect

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Detectes Phoenix Miner Payload

    miner

  • Downloads MZ/PE file

  • Executes dropped EXE

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses 2FA software files, possible credential harvesting

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2