General

  • Target

    B10274561191CEDB0B16D2A69FDCD4E5062EDFE262184.exe

  • Size

    3.6MB

  • Sample

    211126-txhpqaddgr

  • MD5

    19008dabdac3c666e9006648027c4754

  • SHA1

    6a054be41ac9a5badab8d38552b8703c12b33cca

  • SHA256

    b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57

  • SHA512

    83ff9b3b897055039061abcf65f46cfb2dbe8c418c4f959a2727f49035a361f541a1e2f511463cbd7449d0cb4828b6ae66290e1a6ed917d1b0d408d4bd90450b

Malware Config

Extracted

Family

vidar

Version

40.2

Botnet

706

C2

https://kipriauka.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

redline

Botnet

pab777

C2

185.215.113.15:6043

Extracted

Family

socelars

C2

http://www.ecgbg.com/

Targets

    • Target

      B10274561191CEDB0B16D2A69FDCD4E5062EDFE262184.exe

    • Size

      3.6MB

    • MD5

      19008dabdac3c666e9006648027c4754

    • SHA1

      6a054be41ac9a5badab8d38552b8703c12b33cca

    • SHA256

      b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57

    • SHA512

      83ff9b3b897055039061abcf65f46cfb2dbe8c418c4f959a2727f49035a361f541a1e2f511463cbd7449d0cb4828b6ae66290e1a6ed917d1b0d408d4bd90450b

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks