General

  • Target

    7164c297181394bbccb68090346d1742

  • Size

    5.6MB

  • Sample

    210612-jb8aphqn7x

  • MD5

    7164c297181394bbccb68090346d1742

  • SHA1

    9910dbddb71ce11fec02953ebd29b2ba3b1a6247

  • SHA256

    531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4

  • SHA512

    68296603ec5d649c8a03ca7fbebbcfbfacfa3e5a4f416414a7a6bf9efc27648de41d1e8b5be4850c3cba736e6460433f45f97aa3d1924ab690923fa06600541c

Malware Config

Extracted

Family

vidar

Version

39.3

Botnet

915

C2

https://bandakere.tumblr.com

Attributes
  • profile_id

    915

Extracted

Family

danabot

Version

1827

Botnet

3

C2

192.210.198.12:443

37.220.31.50:443

184.95.51.183:443

184.95.51.175:443

Attributes
  • embedded_hash

    410EB249B3A3D8613B29638D583F7193

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      7164c297181394bbccb68090346d1742

    • Size

      5.6MB

    • MD5

      7164c297181394bbccb68090346d1742

    • SHA1

      9910dbddb71ce11fec02953ebd29b2ba3b1a6247

    • SHA256

      531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4

    • SHA512

      68296603ec5d649c8a03ca7fbebbcfbfacfa3e5a4f416414a7a6bf9efc27648de41d1e8b5be4850c3cba736e6460433f45f97aa3d1924ab690923fa06600541c

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Vidar Stealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Software Discovery

1
T1518

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Tasks