Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-06-2022 23:35
General
-
Target
bf88763cc6b6f48e5a2ddd775c54b31382628d05ca5c5436b7c0406a89cd0760.exe
-
Size
311KB
-
MD5
21045458fe4dd24c81d7a27d00228f9a
-
SHA1
a955d26ab74c8f83d36fc933f94e3a305c8d3265
-
SHA256
bf88763cc6b6f48e5a2ddd775c54b31382628d05ca5c5436b7c0406a89cd0760
-
SHA512
3bd28362b0ae100ed7d87efcb99772d39fa20afbb8eaa219cf0283be32ca6eab9fcc9858b4ddbdd2f536c9aef1e59f63d45f49cf6ef250859e7bc841ec76aa48
Malware Config
Extracted
vidar
52.7
1415
https://t.me/tg_superch
https://climatejustice.social/@olegf9844
-
profile_id
1415
Extracted
redline
zenquu
tradigview.xyz:12777
-
auth_value
70ac5f40cef894791e2b507bfc63de4e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
-
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
-
Vidar Stealer 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf88763cc6b6f48e5a2ddd775c54b31382628d05ca5c5436b7c0406a89cd0760.exe"C:\Users\Admin\AppData\Local\Temp\bf88763cc6b6f48e5a2ddd775c54b31382628d05ca5c5436b7c0406a89cd0760.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E242.exeC:\Users\Admin\AppData\Local\Temp\E242.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\E679.exeC:\Users\Admin\AppData\Local\Temp\E679.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roamingwwxyuhvy\zans.exe"C:\Users\Admin\AppData\Roamingwwxyuhvy\zans.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roamingwwxyuhvy\zans.exe"C:\Users\Admin\AppData\Roamingwwxyuhvy\zans.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\E242.exeFilesize
308KB
MD5c5e45a9cfa880801281c18aba23e50d4
SHA1ea6a91fdc1a539638e456806b020a6e8bb446687
SHA256bae68ac96c4606b69b9be3135a2794a4c0f0f04f047e3c3f4a6f53db3d2de93d
SHA512976bb6146a711561e21c6f59f3cf5ba93a85b637e0cbbd782640487a7000a61f61effe55c5763581f6545ff206f5f59cfee3fcdb5dbd80afe7707421bcfd48d5
-
C:\Users\Admin\AppData\Local\Temp\E242.exeFilesize
308KB
MD5c5e45a9cfa880801281c18aba23e50d4
SHA1ea6a91fdc1a539638e456806b020a6e8bb446687
SHA256bae68ac96c4606b69b9be3135a2794a4c0f0f04f047e3c3f4a6f53db3d2de93d
SHA512976bb6146a711561e21c6f59f3cf5ba93a85b637e0cbbd782640487a7000a61f61effe55c5763581f6545ff206f5f59cfee3fcdb5dbd80afe7707421bcfd48d5
-
C:\Users\Admin\AppData\Local\Temp\E679.exeFilesize
5KB
MD527b114dbf75af050a1b7fc74e55c2de5
SHA1edf51275bea475cb883408bce23739ed0dda6617
SHA256402f2d870d8fe0f6fa9ff435ff104c90f1fbb680d2709c910b672cce2f314566
SHA51273f103c315a50b0e00c71040892a996e9c5ae064d9eb4fb98b4a95bfaddbec13b5acef94ee93a0869229c4ab1503361a367ca8fe80ef9afccc2d9b257a26b62d
-
C:\Users\Admin\AppData\Local\Temp\E679.exeFilesize
5KB
MD527b114dbf75af050a1b7fc74e55c2de5
SHA1edf51275bea475cb883408bce23739ed0dda6617
SHA256402f2d870d8fe0f6fa9ff435ff104c90f1fbb680d2709c910b672cce2f314566
SHA51273f103c315a50b0e00c71040892a996e9c5ae064d9eb4fb98b4a95bfaddbec13b5acef94ee93a0869229c4ab1503361a367ca8fe80ef9afccc2d9b257a26b62d
-
C:\Users\Admin\AppData\Roamingwwxyuhvy\zans.exeFilesize
212.5MB
MD5b9a8f2a6cbf45542bf9d8a5abbdef11a
SHA1d92af24a3e4f36f769472bd44a7ee5fcfd5ca814
SHA256fc19798762e19a58fb59629c840cff2c6d2b9b5675ab6988b22a432901ac9b22
SHA512a62d52d6b8b3e87a8e9a7baf5fbf7e04a342beeaced847b37c084b3f0e13ecd1a41ac8c62c91e5da77fe50697d8e4689a4befa5d1d7674462675d45badbf889f
-
C:\Users\Admin\AppData\Roamingwwxyuhvy\zans.exeFilesize
205.9MB
MD5eba645c9a32364e3221b531d7994195a
SHA12cacc8faa01f37d50d3f2179c7736125786c48db
SHA2567b7adcbe1b8de912f90cc4225d1973f15bd65aecb3867be7694ce37d0b4afcc7
SHA512edd8659bd848a4e4aa4c03e0e40bd6feb3de666217d86329dacd7fde7b1aaf9f0076afcde917d91a0cd0acc54209af48f96fdcb9148825e97d5cd24e866fc013
-
C:\Users\Admin\AppData\Roamingwwxyuhvy\zans.exeFilesize
8.4MB
MD512e7978ff835560d2d2d3c821d44f4c7
SHA1a325a7413a65ed64b49a851570c9428d6e1d5a03
SHA256946d0bfc01ff7dc4d968a85ceaccc84d617aa574a48046573114ae45ea9e4805
SHA512277b0cc822d8aa9b3638a7b06c84a8cc1ad7acd2d6c654bb9b17f9de7a0a5d0c02981a40f5a5e4c47cf9c6ea1c78fbbb13be57f2e8d65447d083b349bb26230d
-
\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/684-466-0x0000000000F80000-0x000000000100E000-memory.dmpFilesize
568KB
-
memory/684-432-0x0000000000000000-mapping.dmp
-
memory/684-470-0x0000000005870000-0x000000000590C000-memory.dmpFilesize
624KB
-
memory/684-479-0x00000000057D0000-0x0000000005838000-memory.dmpFilesize
416KB
-
memory/684-482-0x0000000008440000-0x000000000893E000-memory.dmpFilesize
5.0MB
-
memory/1628-484-0x000000000041AD7E-mapping.dmp
-
memory/1628-517-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2104-215-0x00000000005C0000-0x00000000005CC000-memory.dmpFilesize
48KB
-
memory/2104-201-0x0000000000000000-mapping.dmp
-
memory/2276-172-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-173-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-176-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-170-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-169-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-168-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-167-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-165-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-164-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-163-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-162-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-161-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-160-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-159-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/2276-157-0x0000000000000000-mapping.dmp
-
memory/3200-142-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-137-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-153-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-154-0x0000000000400000-0x0000000002C6C000-memory.dmpFilesize
40.4MB
-
memory/3200-155-0x0000000002D00000-0x0000000002D09000-memory.dmpFilesize
36KB
-
memory/3200-156-0x0000000000400000-0x0000000002C6C000-memory.dmpFilesize
40.4MB
-
memory/3200-151-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-150-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-149-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-148-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-147-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-146-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-145-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-144-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-143-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-117-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-141-0x0000000002D00000-0x0000000002D09000-memory.dmpFilesize
36KB
-
memory/3200-140-0x0000000002D20000-0x0000000002E6A000-memory.dmpFilesize
1.3MB
-
memory/3200-139-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-131-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-118-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-136-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-119-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-120-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-135-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-134-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-133-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-121-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-122-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-123-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-124-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-125-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-152-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-126-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-132-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-127-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-128-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-129-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/3200-130-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/4768-180-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/4768-381-0x0000000004B30000-0x0000000004B42000-memory.dmpFilesize
72KB
-
memory/4768-171-0x0000000000000000-mapping.dmp
-
memory/4768-175-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/4768-177-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/4768-192-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/4768-248-0x00000000001E0000-0x00000000001E8000-memory.dmpFilesize
32KB
-
memory/4768-271-0x00000000023D0000-0x00000000023DA000-memory.dmpFilesize
40KB
-
memory/4768-178-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/4768-179-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/4768-183-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/4768-190-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/4768-184-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/4768-188-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/5052-185-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/5052-189-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/5052-377-0x0000000000A00000-0x0000000000A6B000-memory.dmpFilesize
428KB
-
memory/5052-182-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/5052-181-0x0000000000000000-mapping.dmp
-
memory/5052-314-0x0000000000A00000-0x0000000000A6B000-memory.dmpFilesize
428KB
-
memory/5052-313-0x0000000000A70000-0x0000000000AE4000-memory.dmpFilesize
464KB
-
memory/5052-191-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/5052-193-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB
-
memory/5052-187-0x0000000077750000-0x00000000778DE000-memory.dmpFilesize
1.6MB