General

  • Target

    7049AC9D2096D37D36EE0D1EE9048E95.exe

  • Size

    321KB

  • Sample

    210521-qr7xs7z6e6

  • MD5

    7049ac9d2096d37d36ee0d1ee9048e95

  • SHA1

    36def9f0c54a3c52bbf9953fd3928d2d02e04505

  • SHA256

    4f8fe2f14c19ae475f397f4ea62e59ef42adc7c5af1ced0fca00d8963c9fb6d6

  • SHA512

    6f48e73e1ea41fbe2e5f7fd7b49297767f8f7c35a55073622a2459cc2533acd69491d354966a896eb07ca69945df9067b415370f617cdcd8b8f212ca450880c9

Malware Config

Extracted

Family

vidar

Version

38.8

Botnet

719

C2

https://HAL9THapi.faceit.comlegomind

Attributes
  • profile_id

    719

Extracted

Family

cryptbot

C2

soggdx52.top

moratr05.top

Attributes
  • payload_url

    http://douydw07.top/download.php?file=lv.exe

Extracted

Family

redline

Botnet

MIX 21.05

C2

xisolenoy.xyz:80

Targets

    • Target

      7049AC9D2096D37D36EE0D1EE9048E95.exe

    • Size

      321KB

    • MD5

      7049ac9d2096d37d36ee0d1ee9048e95

    • SHA1

      36def9f0c54a3c52bbf9953fd3928d2d02e04505

    • SHA256

      4f8fe2f14c19ae475f397f4ea62e59ef42adc7c5af1ced0fca00d8963c9fb6d6

    • SHA512

      6f48e73e1ea41fbe2e5f7fd7b49297767f8f7c35a55073622a2459cc2533acd69491d354966a896eb07ca69945df9067b415370f617cdcd8b8f212ca450880c9

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks