Overview

overview

10

Static

static

setup/AISe...ck.exe

windows7_x64

10

setup/AISe...ck.exe

windows10-2004_x64

10

setup/Pre-...up.exe

windows7_x64

10

setup/Pre-...up.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7458976137.zip

  • Size

    3.2MB

  • Sample

    220520-nrwrhabac8

  • MD5

    b5e4e3939b9dd07cb9af9b2207d4333f

  • SHA1

    7dcacad5844326620bda2b4156cf673691bda9f5

  • SHA256

    c1f4204697908a155a89bd2237d4ded480cfa78afbb555b02ae53a1badd9e8f0

  • SHA512

    e9d235663963f2dda6a6e9c6081f4a99555bcd7234cd32c45571282d7c8dcc2eb0e8e0ceaf28ef0abf6cfa01dfb11bb52ab8a7e981e6ce1973b1466b8664fd1b

Score
10/10
redlinevidar1281leo5discoveryevasioninfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

redline

Botnet

leo5

C2

cenyeyalory.xyz:80

kaiaiannial.xyz:80

viasanainah.xyz:80

xtelstasiup.xyz:80
Attributes
  • auth_value

    be820120fdc25e4fee4cd33b669b3e2c

Extracted

Family

vidar

Version

52.1

Botnet

1281

C2

https://t.me/verstappenf1r

https://climatejustice.social/@ronxik312
Attributes
  • profile_id

    1281

Targets

    • Target

      setup/AISetup-Crack.exe

    • Size

      346.0MB

    • MD5

      5caa09b3a7089d4ec3ab263af0041826

    • SHA1

      40bafeae4244b17f5bbd42b1863fe8ba83d6e6f3

    • SHA256

      73487ed92e7cc9a0017dc27784a2a48d5d6ede2d76fb3190ab69cdd402d23ab1

    • SHA512

      a49206f66d08b593f0546436e4a83ecebc21d7a8e0a4809075f4ca72513232063b75b4412cd9ebab00e185979e3914c048936de2a37cffa65531a44b8f0eb8e7

    Score
    10/10
    redlineleo5infostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      setup/Pre-Activated-Setup.exe

    • Size

      353.8MB

    • MD5

      e49a9126069d2e7c26159b2bdc38e822

    • SHA1

      97a3494ac4065d149a7c7426ce93bd73ab223af4

    • SHA256

      c060daa79346e21d4f577b035b44b0d391bcfc2d20edea54ca3543ea8f568db8

    • SHA512

      f16f0c03932ac35b0705216e1ffdb8aa43d77f721d6d8b4b2352341aee23b96b19c80cc771a02d9eb01a980a25fb6377b64eae59c0903b62f27b2d0514ba45b5

    Score
    10/10
    vidar1281discoveryevasionspywarestealersuricatatrojan

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

      suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks