Overview

overview

10

Static

static

464502cbaa...86.exe

windows7-x64

10

464502cbaa...86.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    464502cbaae7b9ed1cd6da844d38ba86.exe

  • Size

    18.4MB

  • Sample

    221111-xw29hsab38

  • MD5

    464502cbaae7b9ed1cd6da844d38ba86

  • SHA1

    30dd42539cbfad04564f9db45ca40f2b9e81546c

  • SHA256

    6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4

  • SHA512

    e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59

  • SSDEEP

    98304:2pgc9WBd2/ojIbrK51bnqvMwqwWhWznbdyxDDFC4B14d+iXLfg0rf2a33OXA7zTg:2pgnBkbYEMUWIzbdyxDDFCXpZU

Score
10/10
arrowratredlinevidar1754@noxycloudclientdiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

vidar

Version

55.6

Botnet

1754

C2

https://t.me/seclab_new

https://github.com/smbfhrgc
Attributes
  • profile_id

    1754

Extracted

Family

redline

Botnet

@NoxyCloud

C2

85.192.63.57:34210

Attributes
  • auth_value

    20dc074852db65a2b74addf964cf576e

Extracted

Family

arrowrat

Botnet

Client

C2

213.239.219.58:1337

Mutex

nPxRArUjc

Targets

    • Target

      464502cbaae7b9ed1cd6da844d38ba86.exe

    • Size

      18.4MB

    • MD5

      464502cbaae7b9ed1cd6da844d38ba86

    • SHA1

      30dd42539cbfad04564f9db45ca40f2b9e81546c

    • SHA256

      6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4

    • SHA512

      e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59

    • SSDEEP

      98304:2pgc9WBd2/ojIbrK51bnqvMwqwWhWznbdyxDDFC4B14d+iXLfg0rf2a33OXA7zTg:2pgnBkbYEMUWIzbdyxDDFCXpZU

    Score
    10/10
    arrowratredlinevidar1754@noxycloudclientdiscoveryinfostealerpersistenceratspywarestealer

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

      ratarrowrat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks