Overview

overview

10

Static

static

bear_vpn.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bear_vpn.exe

  • Size

    2.8MB

  • Sample

    210731-bqd7ageyn6

  • MD5

    b4bc083dd5a8bbd1210820ed0b6fa963

  • SHA1

    c8315decf246e312bde4ef5f2809bb2775f81f81

  • SHA256

    f6aabb6a58fc29b92134b88ca9d80bee51858a9f3ede8a97ce30f3fac8cc68fa

  • SHA512

    91f52798ca471daeca6972f2ea963fe0d7468900b234c96aff71d16ed4d0b3c7262e699f04816969b1505e82cfa6409570a6b64687164f4bdf43286c0157b4a7

Score
10/10
redlinesocelarsxmrigliezupddiscoveryinfostealerminerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

UPD

C2

185.215.113.45:41009

Extracted

Family

redline

Botnet

Liez

C2

liezaphare.xyz:80

Targets

    • Target

      bear_vpn.exe

    • Size

      2.8MB

    • MD5

      b4bc083dd5a8bbd1210820ed0b6fa963

    • SHA1

      c8315decf246e312bde4ef5f2809bb2775f81f81

    • SHA256

      f6aabb6a58fc29b92134b88ca9d80bee51858a9f3ede8a97ce30f3fac8cc68fa

    • SHA512

      91f52798ca471daeca6972f2ea963fe0d7468900b234c96aff71d16ed4d0b3c7262e699f04816969b1505e82cfa6409570a6b64687164f4bdf43286c0157b4a7

    Score
    10/10
    redlinesocelarsxmrigliezupddiscoveryinfostealerminerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Nirsoft

    • XMRig Miner Payload

      miner

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks