redline

Sharing

Copy URL

Twitter E-mail

General

Target

514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420
Size

286KB
Sample

221030-vtm1psbdg7
MD5

1fc67595c2e6b55d456b9cd090ece64d
SHA1

d714d38984725324da6f222b09b1c4111656cc6f
SHA256

514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420
SHA512

21a987ea2cfa83a44726e3648b146e0b041b6a25ba4386356cfca614ab7e6af2f1da0b928a94da6dbea6c77188db719142ceb73f06329abb2987726b7fdca876
SSDEEP

3072:cSlKU2WLcay9XLa/5eeRCEeg/lKtTb6I8zxNToycoGMWGVggjcGkNIVqI:YU2WLny9XOXsGlOn6ZjTo9od7ITsq

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
reanimedia.ru
Port:
21
Username:
[email protected]
Password:
A2307D2012phpv1

Extracted

Credentials

Protocol: ftp
Host:
pasco.nl
Port:
21
Username:
[email protected]
Password:
D040

Extracted

Credentials

Protocol: ftp
Host:
der-beyer-clan.de
Port:
21
Username:
[email protected]
Password:
008292

Extracted

Credentials

Protocol: ftp
Host:
leroyairport.com
Port:
21
Username:
[email protected]
Password:
1028102868123456123!!

Extracted

Credentials

Protocol: ftp
Host:
lineartec.de
Port:
21
Username:
[email protected]
Password:
Juhu4711#

Extracted

Credentials

Protocol: ftp
Host:
der-beyer-clan.de
Port:
21
Username:
marc
Password:
008292

Extracted

Credentials

Protocol: ftp
Host:
lineartec.de
Port:
21
Username:
mlinaric
Password:
Juhu4711#

Extracted

Credentials

Protocol: ftp
Host:
leroyairport.com
Port:
21
Username:
postmaster
Password:
1028102868123456123!!

Extracted

Credentials

Protocol: ftp
Host:
der-beyer-clan.de
Port:
21
Username:
admin
Password:
008292

Extracted

Credentials

Protocol: ftp
Host:
lineartec.de
Port:
21
Username:
admin
Password:
Juhu4711#

Extracted

Credentials

Protocol: ftp
Host:
leroyairport.com
Port:
21
Username:
admin
Password:
1028102868123456123!!

Extracted

Credentials

Protocol: ftp
Host:
reanimedia.ru
Port:
21
Username:
shevchenko
Password:
A2307D2012phpv1

Extracted

Credentials

Protocol: ftp
Host:
reanimedia.ru
Port:
21
Username:
admin
Password:
A2307D2012phpv1

Extracted

Family

redline

Botnet

Google2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Extracted

Family

vidar

Version

55.3

Botnet

1767

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
1767

Targets

- Target
  
  514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420
- Size
  
  286KB
- MD5
  
  1fc67595c2e6b55d456b9cd090ece64d
- SHA1
  
  d714d38984725324da6f222b09b1c4111656cc6f
- SHA256
  
  514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420
- SHA512
  
  21a987ea2cfa83a44726e3648b146e0b041b6a25ba4386356cfca614ab7e6af2f1da0b928a94da6dbea6c77188db719142ceb73f06329abb2987726b7fdca876
- SSDEEP
  
  3072:cSlKU2WLcay9XLa/5eeRCEeg/lKtTb6I8zxNToycoGMWGVggjcGkNIVqI:YU2WLny9XOXsGlOn6ZjTo9od7ITsq
Score

10^/10

redline smokeloader vidar 1767 google2 backdoor discovery infostealer persistence spyware stealer trojan upx
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1