Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    275deddef0f33683c99390656e658a121d4d630a130e3f45411594de37ae4498

  • Size

    3.2MB

  • Sample

    220928-w43dtagge8

  • MD5

    e18a73b3a82a22a768614d041fe91bb8

  • SHA1

    c16f522cd61c303b00be391b2f00a872e6307c10

  • SHA256

    275deddef0f33683c99390656e658a121d4d630a130e3f45411594de37ae4498

  • SHA512

    0236cf0e85af6b75e086aeb4de415fb019c76894acf2f08bd019e3b3bebf6a25aa46535037393a3ce35b3e20c0cb8279d277f35429f65fffdee9619506ee141a

  • SSDEEP

    12288:TsDhIWUJVhCO357lNT0eFbW1n6bZMuRg/cQ8HRL/:4DhvUJVhCO3VlmeFbWZ6bZMuRg/cQi

Score
10/10
redlinevidar1680lyla.22.09discoveryinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

vidar

Version

54.6

Botnet

1680

C2

https://t.me/huobiinside

https://mas.to/@kyriazhs1975
Attributes
  • profile_id

    1680

Extracted

Family

redline

Botnet

Lyla.22.09

C2

185.215.113.216:21921

Attributes
  • auth_value

    2f19888cb6bad7fdc46df91dc06aacc5

Targets

    • Target

      275deddef0f33683c99390656e658a121d4d630a130e3f45411594de37ae4498

    • Size

      3.2MB

    • MD5

      e18a73b3a82a22a768614d041fe91bb8

    • SHA1

      c16f522cd61c303b00be391b2f00a872e6307c10

    • SHA256

      275deddef0f33683c99390656e658a121d4d630a130e3f45411594de37ae4498

    • SHA512

      0236cf0e85af6b75e086aeb4de415fb019c76894acf2f08bd019e3b3bebf6a25aa46535037393a3ce35b3e20c0cb8279d277f35429f65fffdee9619506ee141a

    • SSDEEP

      12288:TsDhIWUJVhCO357lNT0eFbW1n6bZMuRg/cQ8HRL/:4DhvUJVhCO3VlmeFbWZ6bZMuRg/cQi

    Score
    10/10
    redlinevidar1680lyla.22.09discoveryinfostealerpersistencespywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks