General

  • Target

    92d5a9e906556a206749301d8cdec4032b9fa5a8a30a88422317ca42b7ef2893

  • Size

    274KB

  • Sample

    220527-symjmaffej

  • MD5

    f087f81edd1207056cc3c2184bafce89

  • SHA1

    e1e614937b2c18a34396d0b007604fe3a4fc52b1

  • SHA256

    92d5a9e906556a206749301d8cdec4032b9fa5a8a30a88422317ca42b7ef2893

  • SHA512

    91717b2d883d289a6d5f2ea382ba1e0bb4b20d79744ea1493baff8df6234ec728d5ee3a023fb0734029438fb8496622951084b6aa019088949fe87d066284d63

Malware Config

Extracted

Family

vidar

Version

52.3

Botnet

1415

C2

https://t.me/hyipsdigest

https://mastodon.online/@ronxik13

Attributes
  • profile_id

    1415

Extracted

Family

redline

Botnet

4

C2

45.10.43.167:26696

Attributes
  • auth_value

    907b4009a916888062785688f81bc6b3

Targets

    • Target

      92d5a9e906556a206749301d8cdec4032b9fa5a8a30a88422317ca42b7ef2893

    • Size

      274KB

    • MD5

      f087f81edd1207056cc3c2184bafce89

    • SHA1

      e1e614937b2c18a34396d0b007604fe3a4fc52b1

    • SHA256

      92d5a9e906556a206749301d8cdec4032b9fa5a8a30a88422317ca42b7ef2893

    • SHA512

      91717b2d883d289a6d5f2ea382ba1e0bb4b20d79744ea1493baff8df6234ec728d5ee3a023fb0734029438fb8496622951084b6aa019088949fe87d066284d63

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

      suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

    • suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

      suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

    • Vidar Stealer

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks