General
-
Target
3ce17f00e34fae799986833f985ed70be310f7290def5b53264ef0f209e56194
-
Size
175KB
-
Sample
221206-2cparscg6w
-
MD5
30d8a9254dc4efb6f6fc98965baa7cf7
-
SHA1
d2cd08cac6ac30d85ac5921191399ba4847ea7d9
-
SHA256
611fea4f31f4efeeac72b58a0096e1a38a476430c636a2565f6d5d0ce0f91977
-
SHA512
fc2dffc0f4cdd56dd809ef5bc13cc3eb0e1faf28a012b2250a601305316493bbbd83bb7efab1b578170614c8d48a17087aa3188c8934b0125d744e9b39cc906b
-
SSDEEP
3072:/1BvpcyIefGd/ALulfFszejRAwj5S+qVn0SLIKL+UwLwkSwoBZlwRkrTVLk:/7po+GntKKRAyeB0SUW+D8kSwOZaaNY
Static task
static1
Behavioral task
behavioral1
Sample
3ce17f00e34fae799986833f985ed70be310f7290def5b53264ef0f209e56194.exe
Resource
win7-20221111-en
Malware Config
Extracted
vidar
56.1
1148
https://t.me/dishasta
https://steamcommunity.com/profiles/76561199441933804
-
profile_id
1148
Extracted
redline
YT
65.21.5.58:48811
-
auth_value
fb878dde7f3b4ad1e1bc26d24db36d28
Targets
-
-
Target
3ce17f00e34fae799986833f985ed70be310f7290def5b53264ef0f209e56194
-
Size
273KB
-
MD5
430f716dcc3b5f288de47bb4d6ddb2db
-
SHA1
0d7b0ec982082bcea3f57820de4cdd67a1d005f8
-
SHA256
3ce17f00e34fae799986833f985ed70be310f7290def5b53264ef0f209e56194
-
SHA512
ad294cabce019a9a1e9cd8dc25e37754c22ba1e0b1937293d307614ec638dd5d173343077687edb9d7185adef49830c19dc1cb80184078629c5e94c2f8079046
-
SSDEEP
6144:q9T43mEiPUqpr4TfKRAyeD043IDcjP/VS:q9ifiPUurVyUTDcDVS
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-