Overview

overview

10

Static

static

setup/AISe...ck.exe

windows7_x64

10

setup/AISe...ck.exe

windows10-2004_x64

10

setup/Pre-...up.exe

windows7_x64

10

setup/Pre-...up.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7447306174.zip

  • Size

    3.6MB

  • Sample

    220520-nqwp4sbac4

  • MD5

    57315ec9fbcc7cad912c8045709257d8

  • SHA1

    1a7821dd025d04a766a1d41b14f9bfb0f90d11b4

  • SHA256

    fe9c2d372b2c9dfc51642c55248c4d193ac72ef6c938023626cd46383405e51c

  • SHA512

    242c3b160d966d567ea4897eaa2ea875f5d7ce3a4133a2dacc23775dcab8b048081342284682718df2adcd221cf5daafb84bec4a8086342e50e0361f66567936

Score
10/10
redlinevidar1281discoveryinfostealerspywarestealersuricata

Malware Config

Extracted

Family

vidar

Version

52.1

Botnet

1281

C2

https://t.me/verstappenf1r

Attributes
  • profile_id

    1281

Targets

    • Target

      setup/AISetup-Crack.exe

    • Size

      2.4MB

    • MD5

      632c411467cb6300f1386c563b138778

    • SHA1

      dc8f21dc53c8ef420cd417d2baf531567d9a21ce

    • SHA256

      d49afecb53d0779d6767571c6576d6c1a5529cb6470a0262971b7e00724a7c6a

    • SHA512

      043e4d05d0e1b3283fac0a944842ec5ac23329ae110eefeb18c2af2d2682451e35a2950533bd2ffcf502dc2991efd2a15946a4fd281068e40cf969de1fbe0f66

    Score
    10/10
    redlinediscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      setup/Pre-Activated-Setup.exe

    • Size

      347.3MB

    • MD5

      6c61d27cdd0a9c8750a92021990fbc19

    • SHA1

      7f6fdf0db122195d4737f5ca85e292e0f10fbccd

    • SHA256

      8195c3e7fde033b97d9a99d642e841a4d78e4610a2e2867e303d8bd4baa6eac2

    • SHA512

      685a7bfb68072cb4f59c9137b6910f75da31401a6bbf915ddd2217400d367473b325b0c36f2705219363ebab9fcc8b0cbaed6839c2dcd403e1ee70eb31bd96f4

    Score
    10/10
    vidar1281spywarestealersuricata

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

      suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

      suricata

    • Vidar Stealer

      stealer

    • Loads dropped DLL

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Tasks