Overview

overview

10

Static

static

10

Server.bin.zip

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Server.bin.zip

  • Size

    43KB

  • Sample

    221107-wbxb4aadb9

  • MD5

    562ba3c4367f7e8e1b55f70cc79b4548

  • SHA1

    1af17121cc67de62cbb1a677ee8cf9a41034e220

  • SHA256

    6c5f008b6fb6dc6b52356be1cff64f1aed63023273b5d2055866f066cc14f776

  • SHA512

    1c1255f74dd2def0fbf3c35657c4c617bee48640fa77d3c28595f012a9db4a062b5611079186f286f2dd9f4f9ed955fdadbc338e96e969487e99f02defe9ebb1

  • SSDEEP

    768:iATUlMZLcjaTQ4g7JjsfmTgHPWlDg6XAKmmACxGC8G886dMeZM1E4gUASmRd:iRMZ4aTi7JYME6VQUxG53NUAS2d

Score
10/10
njratvidar1707elexdiscoveryevasionspywarestealervmprotect

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Elex

C2

NC50Y3AuZXUubmdyb2suaW8Strik:MTgzNzk=

Mutex

51fdfa7645928e2ac1d9effc2044fef0

Attributes
  • reg_key

    51fdfa7645928e2ac1d9effc2044fef0

  • splitter

    |'|'|

Extracted

Family

vidar

Version

55.6

Botnet

1707

C2

https://t.me/seclab_new

https://mas.to/@ofadex
Attributes
  • profile_id

    1707

Targets

    • Target

      Server.bin.zip

    • Size

      43KB

    • MD5

      562ba3c4367f7e8e1b55f70cc79b4548

    • SHA1

      1af17121cc67de62cbb1a677ee8cf9a41034e220

    • SHA256

      6c5f008b6fb6dc6b52356be1cff64f1aed63023273b5d2055866f066cc14f776

    • SHA512

      1c1255f74dd2def0fbf3c35657c4c617bee48640fa77d3c28595f012a9db4a062b5611079186f286f2dd9f4f9ed955fdadbc338e96e969487e99f02defe9ebb1

    • SSDEEP

      768:iATUlMZLcjaTQ4g7JjsfmTgHPWlDg6XAKmmACxGC8G886dMeZM1E4gUASmRd:iRMZ4aTi7JYME6VQUxG53NUAS2d

    Score
    10/10
    vidar1707discoveryevasionspywarestealervmprotect

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks