Overview

overview

10

Static

static

ROR.exe

windows7-x64

10

ROR.exe

windows10-2004-x64

10

Resubmissions

11-11-2022 23:07

221111-236mqsfc7v 10

11-11-2022 22:52

221111-2tw2yafb91 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ROR.exe

  • Size

    1.7MB

  • Sample

    221111-2tw2yafb91

  • MD5

    85ea4565608d2f6c35decb6ed8547749

  • SHA1

    e15ae6c93c9e998b030609fdf4b3274925694229

  • SHA256

    f6706aafbeb4e8e10478bb1fd5b171e2f7f13399416344aba46233593e6f5d69

  • SHA512

    762b5e5293067c484ca54fa297f5770217275a7594083b64b15ed65955f64ba158bbf58a7713419c2dc15d265a7bf8c85b4f11c8fd27e62ba21f429493df4dd5

  • SSDEEP

    24576:WVCrlD3LeNOUaHfxaBXjVId3tgErJsF36RYioPHdo/SQE9AoA5:Wut0jaH5gkxdsF3TPdo/rE9AP

Score
10/10
redlinevidar1754@noxyclouddiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

@NoxyCloud

C2

85.192.63.57:34210

Attributes
  • auth_value

    20dc074852db65a2b74addf964cf576e

Extracted

Family

vidar

Version

55.6

Botnet

1754

C2

https://t.me/seclab_new

https://github.com/smbfhrgc
Attributes
  • profile_id

    1754

Targets

    • Target

      ROR.exe

    • Size

      1.7MB

    • MD5

      85ea4565608d2f6c35decb6ed8547749

    • SHA1

      e15ae6c93c9e998b030609fdf4b3274925694229

    • SHA256

      f6706aafbeb4e8e10478bb1fd5b171e2f7f13399416344aba46233593e6f5d69

    • SHA512

      762b5e5293067c484ca54fa297f5770217275a7594083b64b15ed65955f64ba158bbf58a7713419c2dc15d265a7bf8c85b4f11c8fd27e62ba21f429493df4dd5

    • SSDEEP

      24576:WVCrlD3LeNOUaHfxaBXjVId3tgErJsF36RYioPHdo/SQE9AoA5:Wut0jaH5gkxdsF3TPdo/rE9AP

    Score
    10/10
    redline@noxycloudinfostealerspywarevidar1754discoverystealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks