General

  • Target

    f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe

  • Size

    583KB

  • Sample

    211028-vxkpraggbm

  • MD5

    c20afa6d829ac6e72b1444ffad4d13ae

  • SHA1

    5c884c26a76630a76e1efa9c4695959bc8c263ba

  • SHA256

    f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0

  • SHA512

    c3ba72388bfe7c590b67b35ac21122f5ee2e5a371738c34eb74c41ff11eff1b5bb4ab0ef4cd83dd3c689ff904b0be00bdc5186d2e2f02acd74ac5ca5147c757c

Malware Config

Extracted

Family

redline

Botnet

Fast

C2

18.190.26.16:61391

Extracted

Family

vidar

Version

41.6

Botnet

1045

C2

https://mas.to/@lilocc

Attributes
  • profile_id

    1045

Targets

    • Target

      f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe

    • Size

      583KB

    • MD5

      c20afa6d829ac6e72b1444ffad4d13ae

    • SHA1

      5c884c26a76630a76e1efa9c4695959bc8c263ba

    • SHA256

      f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0

    • SHA512

      c3ba72388bfe7c590b67b35ac21122f5ee2e5a371738c34eb74c41ff11eff1b5bb4ab0ef4cd83dd3c689ff904b0be00bdc5186d2e2f02acd74ac5ca5147c757c

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Vidar Stealer

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Tasks