redline

Sharing

General

Target

quarantine.7z
Size

15.6MB
Sample

250304-a3ny5svls7
MD5

16e4a423d8bcaf482dc5c818a1b25cd9
SHA1

394128c1685e504be78fbb8f93bee1cc5cc8bc28
SHA256

9c2b49dde271accdeb74a011a6091c6d7ed432326d24d424bc547eb57c343a6f
SHA512

bd2bc5a6a354da2cc30f2f7b5ce7117b37b32cd4a73c45bac31525ba8507dc5166be0c42bc8f4b79e6787c3b8c4063e20f43c1f7bed357130cfe42c52f2aa7d6
SSDEEP

393216:LIgnFP1tFp3j+iLd8xxKjQLQmwCmaU6hIkD5JUmDiFBvl:MgnF9RwHKjQ0mDmP+HjY9l

Score

10^/10

Malware Config

Extracted

Family

systembc

towerbingobongoboom.com

213.209.150.137

Extracted

Family

redline

Botnet

testproliv

45.155.103.183:1488

Extracted

Family

vidar

Botnet

ir7am

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Targets

- Target
  
  quarantine/7UlMpzX.exe
- Size
  
  7.2MB
- MD5
  
  e0a1a022d91e3dae3a9c14bbb4541a01
- SHA1
  
  2d98ea30dd016810f927ec71fa42bef317570248
- SHA256
  
  daa5a2f0707c44c65277c13161e7016e028fb77f87765ecc12203700b92742eb
- SHA512
  
  4bc7dc56d2700bad42b1a57830240b8008a1c25e28683d5fe6714fb18d0c6debe68912797975c0ff391cd95e8828ff6fa9fb99ed4fe0a60a317cb2f39d3fb4ba
- SSDEEP
  
  98304:Bh7bxT9owDrvzsex+ZX2vkPPAKMjOntYRmyzETNcsK:HJ3vzsA+kcwKZntYRmyzETK7
Score

10^/10

xmrig miner
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  quarantine/BXxKvLN.exe
- Size
  
  1.7MB
- MD5
  
  971c0e70de5bb3de0c9911cf96d11743
- SHA1
  
  43badfc19a7e07671817cf05b39bc28a6c22e122
- SHA256
  
  67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d
- SHA512
  
  a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2
- SSDEEP
  
  49152:PILW3W4OH2ImHQRD2H8Vs1sfh8h08GhPdYJblsacEadrrtNb24q:i+eJNbHq
Score

10^/10

redline testproliv discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral3 behavioral4
- Target
  
  quarantine/JCFx2xj.exe
- Size
  
  12.4MB
- MD5
  
  7ff72f21d83d3abdc706781fb3224111
- SHA1
  
  3bfbe059b8e491bde4919fb29afa84d4ea1c0fa8
- SHA256
  
  0c54843666a464f185c97a7693a91eb328827a900717e414357b897bd2630fea
- SHA512
  
  dbb3c7b618bc2c80dae90ff902100d3902ddffe5705cf0c648b8b3f702fd8814b9cf66490e3260e09d36c1ce57bfc05d3f9bb0fc089c5ec7c553eb8a94d3320d
- SSDEEP
  
  98304:9759mzzsStK6WQR/GxauphkCnEUNKmV5WpVy9Ipq+kKQ8yRuDTxLXZOrdArhuoK:f9QlXMhkCpwtAiq+ORu3xLXedArQl
Score

10^/10

vidar ir7am credential_access discovery spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  quarantine/UBiTCuj.exe
- Size
  
  6.8MB
- MD5
  
  dab2bc3868e73dd0aab2a5b4853d9583
- SHA1
  
  3dadfc676570fc26fc2406d948f7a6d4834a6e2c
- SHA256
  
  388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
- SHA512
  
  3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8
- SSDEEP
  
  98304:fQX0x83hQvVapJdIJc3XO72dn3ffZSjZbkKk5KExKKUkIg5Wo6J:YX02GapHXkAn38jZk5KETUkIglW
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  quarantine/bPDDW9F.exe
- Size
  
  1.3MB
- MD5
  
  cde0f4bf8c4605529175bbb5e86c6bad
- SHA1
  
  8194071706458c456a021e8e17b0a63ba3b54b44
- SHA256
  
  989ab0b506d60a468a8ab919dd973cae0f00072d60615d9b0243825e4b4a4e7e
- SHA512
  
  265a84c26b56abdd0548503eea7b1ce76b6661ce874e7ef0235dad6d424b568ac104adf5324ee164924b67d4865222e5bc4567ea4ce67b39f08215ad301697ea
- SSDEEP
  
  12288:M7M76dBMCunPjOYdx4cAp5EQxdWvIzKdXTPrljBAhpp9E1ma3XfadQHHNNaAXT:M7M76dBMCunPjicAIv/JNAh39oUm
Score

8^/10

persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10 behavioral9
- Target
  
  quarantine/d0HNrLB.exe
- Size
  
  277KB
- MD5
  
  d1458dc39b290683cefbb01cc5b0991a
- SHA1
  
  e9749971be9d943cb2a62e2be5eb442161876ec6
- SHA256
  
  dc7d690adb8ea5ab1a9b1f65fc3a62b35d9ae4c57a7806ccb226b825f1465f2d
- SHA512
  
  f90bc037576ee1205fa260d5b6b05c95f930025bc40f541b92f39b845b8e9a90a59ec18ef0be1ab5cf7bb74ed6a6222fc1a882df894ba8e1e722d671aef37e35
- SSDEEP
  
  6144:mncN0em3ZxfIiz1uE9FT6gLc/wtgdmvRvtsUuVGh+/Kq3u:P0dfJ8E9d6gLMaDvzsVu+d+
Score

10^/10

xworm discovery persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  quarantine/infinity.exe
- Size
  
  3.5MB
- MD5
  
  f3e33202884d3aff1b011acd7750f4f8
- SHA1
  
  7bbd4b1f8384f07ad60683a25cdf82c96d1195b2
- SHA256
  
  6223ea95d9ec2d019c0244ffc67b9ad9aabc9db740f08abbded44c8818f928d8
- SHA512
  
  92ba9dcabece3c78af129474981e1969d3ac229da7e4fed4d06951e90066694eed954b361e9c951cca2446a1dca3454ae8c90cc01eab5d97fb13e61994b20569
- SSDEEP
  
  98304:3ydQ2R33mZIpPoGAy4eyU2ZDbw3bQBTLnJS:a33sfy4e8Z99jJS
Score

10^/10

socks5systemz botnet discovery
- Detect Socks5Systemz Payload
- Socks5Systemz
  Socks5Systemz is a botnet written in C++.
  botnet socks5systemz
- Socks5systemz family
  socks5systemz
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral13 behavioral14
- Target
  
  quarantine/khykuQw.exe
- Size
  
  7.6MB
- MD5
  
  accdbd5044408c82c19c977829713e4f
- SHA1
  
  070a001ac12139cc1238017d795a2b43ac52770d
- SHA256
  
  dfa2ab0714c9f234b63fd1295ce468bd247465701a90b8a9ab9eb3d6d032d258
- SHA512
  
  34fe4ec1307e7d45080b6e0fb093eb8f1d43fb71a3e3411e32a5798f9cacc69ea1b82d56fcf9e503dd22c51e9af92fde7c149ac5882af4daab5c3cb906cdeb85
- SSDEEP
  
  98304:fYRhnYdlvIib45D+ZicbrZRutIvD0wi9Q1Tjr+RTO7EC5pqQ5eoQQMgX3Q6jEd8O:5H8QK2GcJL
Score

7^/10

discovery spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral15 behavioral16
- Target
  
  quarantine/soudneff.exe
- Size
  
  1.7MB
- MD5
  
  efac52cc9304919d4f9e49c56bdbd484
- SHA1
  
  68e90fd0a473ba822bb4f708d718afcbbd660850
- SHA256
  
  e903bd6ec4817fca7a718b770d6d6a509c7e522cbebb41bd26e48bfe009d0510
- SHA512
  
  9185437c21c56772d3dd7172269b3569380b518e78c8cb9dcf947968476d4d79beb2aeb31da66d3736a2a0f3be88d3caf86d9ba79c59608aaca196c409466ada
- SSDEEP
  
  49152:dWiPyNzLHax6WxKPQx1GyGe4/xU7VNT1xMJ1NxjnW8EtV:dhGW4OOCbhGQ
Score

10^/10

systembc defense_evasion discovery trojan
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Systembc family
  systembc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral17 behavioral18
- Target
  
  quarantine/v6Oqdnc.exe
- Size
  
  2.0MB
- MD5
  
  6006ae409307acc35ca6d0926b0f8685
- SHA1
  
  abd6c5a44730270ae9f2fce698c0f5d2594eac2f
- SHA256
  
  a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
- SHA512
  
  b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718
- SSDEEP
  
  49152:8e0464BN/+WlGmrTEdSIfaYZ/1NnyD+9/nDPdwD:8VvFPaI/jy69/nD
Score

9^/10

defense_evasion discovery spyware stealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral19 behavioral20
- Target
  
  quarantine/zY9sqWs.exe
- Size
  
  361KB
- MD5
  
  2bb133c52b30e2b6b3608fdc5e7d7a22
- SHA1
  
  fcb19512b31d9ece1bbe637fe18f8caf257f0a00
- SHA256
  
  b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
- SHA512
  
  73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f
- SSDEEP
  
  6144:VVWjGnPOzNsZKlgzMCoIRZ7HNfbjaHFljM7/o1kc3Rx:VVWjHzNsZK+MCoIRZ7HNjjaXMLo1V3R
Score

7^/10

discovery spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral21 behavioral22