Overview

overview

10

Static

static

e6bc2a8fe0...27.exe

windows7_x64

6

e6bc2a8fe0...27.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e6bc2a8fe0c10166a4ddad7cb804b6298d91c52c7ddd114902958639257c9f27

  • Size

    8KB

  • Sample

    220211-c1nxgaaaa8

  • MD5

    f4c9178895e50ad8d4cdc8c6298ed6ef

  • SHA1

    3cd35638dcdccf62f7940da5676dfb5957251797

  • SHA256

    e6bc2a8fe0c10166a4ddad7cb804b6298d91c52c7ddd114902958639257c9f27

  • SHA512

    f1d06872e632cb29819412c4ede205a0c3c75bdf9e17bb5784f8acfe81811a2a797bceaf55ef4802d77c1ba1dd9f4eab4d95919f83641e30ceb8fa6718a17a02

Score
10/10
redlinesmokeloadervidar754backdoordiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://185.215.113.40/

http://1fdsdfsdfdsf.space/

http://2fds33rdsrsdrs.space/

http://3fds4544gfgf.space/

http://4jgfdjgdh5fds.space/

http://5gfdtktkkt44.space/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

50.1

Botnet

754

C2

https://mastodon.online/@k1llerniax

https://koyu.space/@k1llerni2x
Attributes
  • profile_id

    754

Targets

    • Target

      e6bc2a8fe0c10166a4ddad7cb804b6298d91c52c7ddd114902958639257c9f27

    • Size

      8KB

    • MD5

      f4c9178895e50ad8d4cdc8c6298ed6ef

    • SHA1

      3cd35638dcdccf62f7940da5676dfb5957251797

    • SHA256

      e6bc2a8fe0c10166a4ddad7cb804b6298d91c52c7ddd114902958639257c9f27

    • SHA512

      f1d06872e632cb29819412c4ede205a0c3c75bdf9e17bb5784f8acfe81811a2a797bceaf55ef4802d77c1ba1dd9f4eab4d95919f83641e30ceb8fa6718a17a02

    Score
    10/10
    redlinesmokeloadervidar754backdoordiscoveryinfostealerspywarestealertrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks