Overview

overview

10

Static

static

1f8769fd48...14.exe

windows7-x64

1

1f8769fd48...14.exe

windows10-2004-x64

1

5f6164d2ea...62.exe

windows7-x64

3

5f6164d2ea...62.exe

windows10-2004-x64

3

83b22007de...df.exe

windows7-x64

10

83b22007de...df.exe

windows10-2004-x64

10

9df1f53fbc...04.exe

windows7-x64

10

9df1f53fbc...04.exe

windows10-2004-x64

10

c3ba328200...2b.exe

windows7-x64

1

c3ba328200...2b.exe

windows10-2004-x64

1

cdf2e2bb7a...0d.exe

windows7-x64

10

cdf2e2bb7a...0d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8362978952.zip

  • Size

    4.7MB

  • Sample

    221110-n79nasbefq

  • MD5

    0c67cdf75a11afe7a59cd9b7b7ce17af

  • SHA1

    c44ea66b027e56fb46c20a89deae3868152ea3c5

  • SHA256

    a1dc211e8d06ae69e12064fc0864bde685922fcd92d4ac0caef224dd97d65769

  • SHA512

    cf809511495b6f3cf1654371e576682927cb5bad9600aa5387e7fd1db409f03d2a9cfc7dce5da62643bed4ec490ee85f16eea01337eb0199a7d89eeb360c1fd7

  • SSDEEP

    98304:xaBdy/IFf8Z7XiTfASzot+4F9HCJqhNKxpcUIycF9gt:xaBJUZ7XiTfjMt+4F16qhNKLIp9gt

Score
10/10
redlinevidar915977colybrdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

vidar

Version

55.3

Botnet

915

C2

https://t.me/slivetalks

https://c.im/@xinibin420
Attributes
  • profile_id

    915

Extracted

Family

redline

Botnet

colybr

C2

188.119.112.156:24790

Attributes
  • auth_value

    f6f76d681091d5a2764934b620eadcac

Extracted

Family

vidar

Version

55.3

Botnet

977

C2

https://t.me/slivetalks

https://c.im/@xinibin420
Attributes
  • profile_id

    977

Targets

    • Target

      1f8769fd48d48e2fb28dbf6bcdb375445b863ef062e79ca9fab86a1758b39214

    • Size

      4.8MB

    • MD5

      a5846ee6033e8aaefbdae71a763c88c7

    • SHA1

      80b3d6f96c9bd29746139a50840628206537bf4c

    • SHA256

      1f8769fd48d48e2fb28dbf6bcdb375445b863ef062e79ca9fab86a1758b39214

    • SHA512

      ba39a76a5acbeed906f4c4413f544071f2662ca6a0278d6c064a911ea8ffac0f7968cb57668cd1cd7e0989f9521ad4705bd713da0f37649b758cbd3e66ba9627

    • SSDEEP

      98304:gjw7hqfK86hPFVi9XYeJL9XO9PW5XzbuH9G8eJBuVu91r5df7P4CC9jj:09XZLT7P4

    Score
    1/10
    behavioral1behavioral2

    • Target

      5f6164d2eabe8a95ee274c00c87dbae668d0a53a927fc8a176fdaeef21963862

    • Size

      1.9MB

    • MD5

      4c4e62732210a9e368a695d9c3ad3266

    • SHA1

      6d006e88980d42893a52d37d0c04c67b56ad96ae

    • SHA256

      5f6164d2eabe8a95ee274c00c87dbae668d0a53a927fc8a176fdaeef21963862

    • SHA512

      bd00084f2d424f678a4c687ed04d09dc8bf9ac25d29da66d7f59f204f594caf8532cd6129219084ddbdfe997b695feb20add357ded5e691b9fcbafbc262ef56d

    • SSDEEP

      12288:03772bJAEN9Tm6GveOSvWRjdsW6Z01T6AFS:0H8Kq41KvEjV3n

    Score
    3/10
    behavioral3behavioral4

    • Target

      83b22007defc15dd65e5de5ca50e65a0506d26906e20247dac15086ba5e421df

    • Size

      1.4MB

    • MD5

      19878e2bfef041ccd5a1cea0f7cfe0fb

    • SHA1

      a9a4317a394a2cc6aac267ac490bd6ea51fa7d20

    • SHA256

      83b22007defc15dd65e5de5ca50e65a0506d26906e20247dac15086ba5e421df

    • SHA512

      0bdeb868cfdb07da3f006a29cbaf8b5e7d4ca182274e06e1bcaca768ced57aa74a71de2c3fd08d521f1de9bc6352537ab3e55631a17ec6e716d55d95e641b5ed

    • SSDEEP

      12288:+njobiYt1nWZQzjFeM6DJOjB9sTTHyFCLw1gTFT0GeIJl3DL6irTPFi9:ht1nYQb6VOhC02KI73DI

    Score
    10/10
    redlinecolybrinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      9df1f53fbcc609be62be35ed21a326dd96f482de617958b9642c64559d318d04

    • Size

      6.3MB

    • MD5

      591df45064fda833d31f9a20fdf813cf

    • SHA1

      1e3a37473bb5804bc89647051070601366b275ed

    • SHA256

      9df1f53fbcc609be62be35ed21a326dd96f482de617958b9642c64559d318d04

    • SHA512

      e877ece2e4ffaeb1777e80f9ccb486a6cbc75b4f2977a00e1e02a7171cda82bdb8f22716bb55135fcc27c917da69a18870fc9ef730e7b296aee9f4871053a102

    • SSDEEP

      6144:2T4Tv+TLI+NE3B+KHJ6SSfwfZzUBEOOPfNX:2TqkU+NgBDHJcw4aX

    Score
    10/10
    vidar977discoveryspywarestealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral7behavioral8

    • Target

      c3ba328200ff6fa492d87e30674eba49236a4ea3c72db48943f086f8a618102b

    • Size

      7.3MB

    • MD5

      e10eb4190253081880b3201dbe5fb87d

    • SHA1

      cc74ebf650bb3e85ebe3da9b73c4f036f2d35b3e

    • SHA256

      c3ba328200ff6fa492d87e30674eba49236a4ea3c72db48943f086f8a618102b

    • SHA512

      05123c281ec8d32cecebebe0e0be2c72c343a51d451d13ac55f4b96a14fdd7b52db443c7f5f5f9dcf7457e61e15a52cc0adf841de2170c3ad9b2d84a7555b13d

    • SSDEEP

      6144:8lPpeJsRFLq1VDYVrC3mPT/ptUQ8gD2Lc0oDf9sVuq1:8lEq/W19U+0ptlZqLHw1BW

    Score
    1/10
    behavioral10behavioral9

    • Target

      cdf2e2bb7acf49bf5c44e60adf26fafa901e6fe7f7421dcdd8153d70fb457d0d

    • Size

      1.4MB

    • MD5

      18c22ba7ff8c847651ca0114f044cfdb

    • SHA1

      82f0cc17c37a2580c14167b92ab252b43276c5da

    • SHA256

      cdf2e2bb7acf49bf5c44e60adf26fafa901e6fe7f7421dcdd8153d70fb457d0d

    • SHA512

      98ffd6b429686b8f9d28e3b3da31b225e1e7084d2f747756647ff1d94bef88d88cd6e204d74542d32228501aea7f870ad96e59d1c79e388738b9070567809369

    • SSDEEP

      24576:USpthafGkllBfyJYFYlnR+8PMoZtcMdc+tXyk+adzbRFKH6KznN4+inP5cw:JvcfGklXfQx+EfYnYRcw

    Score
    10/10
    vidar915stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

2
T1130

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

6
T1082

Query Registry

4
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks