redline

Sharing

Copy URL

Twitter E-mail

General

Target

10b956449191907929102ae12fdf6a4c51ba5a0aa168259608f502d1a70c931c
Size

44.0MB
Sample

241111-batjlayhrh
MD5

14d1fa693cc2b5021c2c762bc26b5930
SHA1

c6e5848bbee7f11d78f554c515daa532d0606183
SHA256

10b956449191907929102ae12fdf6a4c51ba5a0aa168259608f502d1a70c931c
SHA512

a431b7a6963ededa5f38a2d7f17ebf97e2d177b45087b32937936ec38e7f77969b065752ae71387f70377f531f2c37dc1b6227746f6a78c1a4cf5d67104f5f3c
SSDEEP

393216:+R1LJXtItN7rqjAOniFV0PzgZY40JFlr49YUBZNzA4fm+rpyMSikvHPQZxRwx4no:+Rqtx7miIoeUxzbfL4lpQZPwx4lVE

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://135.181.123.26/sccp32.dll

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://135.181.123.26/rundll32.bat

Extracted

Family

vidar

Version

1.9

Botnet

408

https://t.me/travelticketshop

https://steamcommunity.com/profiles/76561199469016299

http://65.109.190.87:80

Attributes

profile_id
408

Extracted

Family

redline

82.115.223.46:57672

Attributes

auth_value
f7d8d50d7edb43d9265a808e13bdad78

Extracted

Family

redline

Botnet

@traxoeb4000

45.15.156.155:80

Attributes

auth_value
b641aba23f2f7986b7337612ab13eddc

Targets

- Target
  
  DriverBoosterPro.exe
- Size
  
  30.8MB
- MD5
  
  0d53802cb56260bfe67619aabfa4974f
- SHA1
  
  21375855ea1f0cf5fe8147a70031a44a626e0b07
- SHA256
  
  24f24ab0484ba98c79a49459178ea40ca2fecc54100cd913c7eff730be962290
- SHA512
  
  25c8930c2ec97a55d715ce5990c0ea6f1b3b266fbc20a9d012c2a7ead0d06345e4dcb85fac97ac678ab7d261e5241a5922841966df63ba8ae51b326af642c8b7
- SSDEEP
  
  393216:01NpF9ID9b3Mj4sVC3Z+dV+fOcaZ5xlux+Gd3nHGaTamTDWeMAQtJxKP+:0CD5FsCc44GZHrTFSFJKP+
Score

10^/10

discovery evasion execution persistence privilege_escalation
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Modifies Windows Firewall
  evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Install.exe
- Size
  
  403KB
- MD5
  
  666c738d6fc7bf1a1ffe6ca3c3e1ce2c
- SHA1
  
  ec8ccf1506b718839dc8e5a79b651a39fd9994c0
- SHA256
  
  39758a9e1e408fa272c08d58b64e40ef71229bc476cb06f1c9b9288dce4dcf3a
- SHA512
  
  f6affbb118c8a8d1d512f8621ecacbd1760ac3bc28505b0170fb6e48aff1f4ea64b52a3cfa7b6334eeee8e271112dcd7bbd32320055f96c2a00d8510e0d2f728
- SSDEEP
  
  6144:t9fFrPWMm150KFxHxsd9LZ69HJHrowl/EAOwMMMMMMJAVMM+MMMMMMMMMMMQP8M8:7B3m150KFxHxs9mcdtKHqJB7r6eVIn
Score

10^/10

redline discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  Installer.exe
- Size
  
  386KB
- MD5
  
  5afbfa3023456a4d8df92e1ed7ed3f2b
- SHA1
  
  3d4f446d0e6094a0c9565104b04412b9d74842fe
- SHA256
  
  6bc0ced43000f97bc833b5af9663c3fad52ddf20847a6086daba4ac6c03267ef
- SHA512
  
  001cf602e8272074284a8b5cb45b70eb261589047ce6831d9bc8a4dd78c5d707f7c4ad96bf4f4c653fba23661e707d1efd332c120514b3043700ce0eeb03e752
- SSDEEP
  
  12288:ys2XdBRyYpDyOsf1Ug7HFrQeDrgDMcFD:t2XplJLR
Score

10^/10

redline @traxoeb4000 discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  InstalllingFile_x64_x32mbit.exe.exe
- Size
  
  2.5MB
- MD5
  
  5f477f10523a2df0a5580664d799919d
- SHA1
  
  f776d76a9026f6251ec9a639f9e559c852b0bb66
- SHA256
  
  44ef5b01f886351aae52d3ca5e5e4bb1c46e7f77df9290d47dbaf3886416ac20
- SHA512
  
  d0cc3ae08d8ec8d860ff83ffd52c1ce12c9e87a6dcc5d38f1efef182f950ba49e5921412d596cbacb277854d83a5fc1b5c14f00581ae2336d2ba18c3860dc5fb
- SSDEEP
  
  49152:Ug9CYJyi2n3hhHYJ8RTJ3e61hqJ3scTvn0ziy685IFUbAeFFHvG9FJk82GlXX1:xCYJyiS3bHYJ8RTJ3JOJf0G85IFUbAeE
Score

7^/10

discovery spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral7 behavioral8
- Target
  
  Setup.exe
- Size
  
  761.7MB
- MD5
  
  820c6271c97216eecf92e16f48827e34
- SHA1
  
  1eb3c492c6330023f4b48ee0143b076215063e9f
- SHA256
  
  19704fb6e6b2239715d61cfa73cffefab04f35c3d14f431282d5619c2c809321
- SHA512
  
  00da75c68109fd25ae7ab3247e01df057bb7e60ac67f549cb3a173da1dc813b812293e79090343618b5a5626269a7562b5c085f59a426b4d796f0762b121362e
- SSDEEP
  
  12288:o0VEtZAYufMFBjufDOOOnPJTKqhrlyR0WiUH:UtZVuf7zOn1Kqllyn
Score

10^/10

vidar 408 discovery stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  Setup_1.exe
- Size
  
  228.1MB
- MD5
  
  f52f2e73210fae7d4d6cd9fd5a62f26b
- SHA1
  
  855776fde7d60d98e9083b39445497fcda9fd62b
- SHA256
  
  3140affc7607ca8961eb7bd572e8f107345031da63ef01df9ece3960007b4990
- SHA512
  
  274d2757c30c14af189cc43e8899dd404c4ea3f9d8e775d9271fc6c2a29fd9dc97d16d1c60dc297e69362e307e684642360ab0eb260ca4f46360ab2db83a03a0
- SSDEEP
  
  12288:o0VEtZAYufMFBjufDOOOnPJTKqhrlyR0WiUH:UtZVuf7zOn1Kqllyn
Score

10^/10

vidar 408 discovery stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Suspicious use of SetThreadContext
behavioral11 behavioral12