RedLine/Vidar First Abuses EV Certificates, Then Shifts to Ransomware SHA256 Indicator Description 9123e42cdd3421e8f276ac711988fb8a8929172fa76674ec4de230e6d528d09a TripAdvisor Complaint - Possible Suspension.exe Phishing attachment, detected as Ransom.Win64.CYCLOPS.A 486a9204d3b56449fd0af14bba165fd36182846a9cd9b17837d0f4f818de09e4 First shellcode Saved as %appdata%\{20 random uppercase alpha characters}\{21 random uppercase alpha characters}. Hash value may vary. a6258d70bc0b5d5c87368c5024d3f23585790b14227b8c59333413082524a956 Second shellcode Second shellcode, saved as %localappdata%\temp\{8 random lowercase alpha characters}. Hash value may vary. f39291532290bdbbf355e79bb67019225622da9699adb5fd66cbb408cee99835 Second shellcode Second shellcode, saved as %localappdata%\temp\{8 random lowercase alpha characters}. Hash value may vary. ec835cbaad5c14ef5abcd659199c2027d2c05cee852fb82018d9d065261f304f rgb9gast.exe Legitimate 7-Zip Standalone Console f8cf52e98aeae2170ab68d53b99b104fa6320f54057a63d2603ecdb2ec559fc1 How to restore your files.txt Ransomnote c53ff1351ab0a076ed9c5868e42627939739cfaa98786a111884a3a4dd829747 Additional information about the reservation.exe f69fa5f7a89ef1c19214ee0c8db393ced2b166bc2f7876e3b09e7903b46d21d0 doctor's opinion.exe bb3a8aafefd6d2953b2de555a085474fad6ba3b43eb60f0d594adac08b9d9cc3 Doctor's recommendations.exe Network IOCs URL Description hxxps://samuelelena[.]co/npm/module.external/jquery.min.js JavasScript files associated with phishing attachment TripAdvisor-Complaint-1uy8dx.PDF.htm hxxps://samuelelena[.]co/npm/module[.]external/moment.min.js JavasScript files associated with phishing attachment TripAdvisor-Complaint-1uy8dx.PDF.htm hxxps://samuelelena[.]co/npm/module[.]external/client.min.js JavasScript files associated with phishing attachment TripAdvisor-Complaint-1uy8dx.PDF.htm hxxps://samuelelena[.]co/npm/module.tripadvisor/module.tripadvisor.js JavasScript files associated with phishing attachment TripAdvisor-Complaint-1uy8dx.PDF.htm hxxps://www.doi[.]org/ non-malicious website that governs Digital Object Identifier (DOI) systems hxxps[://]i.ibb[.]co/Gp95Qcw/2286401330.png .png file downloaded by TripAdvisor Complaint - Possible Suspension.exe, contains ransomware binary