Overview

overview

10

Static

static

789edea2f6...cf.exe

windows7-x64

10

789edea2f6...cf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    789edea2f682ba7f2caf76a0a3ca8559c5204627fd4a829cc863f06017686ccf

  • Size

    133KB

  • Sample

    220924-swljjschaj

  • MD5

    4afd6be2b3ec050cc0fd5b892bfec40c

  • SHA1

    83b233a12837796633fc5dd72ab720cf00760dd0

  • SHA256

    a49e81bd962a6454c4c2d7436945712d3a9a62eccf372d743c54bcc7c4575462

  • SHA512

    e50769f4a7a29dfb3aac42ac8eac9651e93317c6e3d2f63961eddbbaa436c2291a22617ab9b9cb4fa372346e06538dfbea88d2941d2ef414dd3d8929af98a76e

  • SSDEEP

    3072:IaZ1rP4Y3D9npa0AktMw3GP929JHVRY9mu/8KF1TvFaCWC+KWp:v15zNUVkGwq98JiJ/h7FnWF

Score
10/10
redlinesmokeloadertofseevidarxmrig1684logsdiller cloud (tg: @me_golds)backdoordiscoveryevasioninfostealerminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @me_golds)

C2

77.73.134.27:7161

Attributes
  • auth_value

    e136da06c7c0400f4091dab1787720ea

Extracted

Family

vidar

Version

54.6

Botnet

1684

C2

https://t.me/huobiinside

https://mas.to/@kyriazhs1975
Attributes
  • profile_id

    1684

Targets

    • Target

      789edea2f682ba7f2caf76a0a3ca8559c5204627fd4a829cc863f06017686ccf

    • Size

      197KB

    • MD5

      4f208f825d6c1b7a9972c36e7847b3cb

    • SHA1

      2ddb59ff34f37b78de4311f76eb8ad350f96623c

    • SHA256

      789edea2f682ba7f2caf76a0a3ca8559c5204627fd4a829cc863f06017686ccf

    • SHA512

      1a0890b84332eef52ae3fdf8e6af08e229ea318b555249a87fbe871aa60c2fa4e57db469832c6e2aa7326cc0694c291ebb59840f915cb9467a58ab6daba98736

    • SSDEEP

      3072:JFD1Ls2T54wR85zK3HJ4QXYMTMnzgABniubt/Pka4x:tLn+wH3HpInzl

    Score
    10/10
    smokeloaderbackdoortrojanredlinetofseevidarxmrig1684logsdiller cloud (tg: @me_golds)discoveryevasioninfostealerminerpersistencespywarestealer

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks