Overview

overview

10

Static

static

517b3e8666...85.exe

windows7-x64

10

517b3e8666...85.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    517b3e8666e16e483d9e808b5dc1e906b71b314d8079e12e1b371f694ab58e85

  • Size

    111KB

  • Sample

    221121-zq86zsbb91

  • MD5

    918559da8befd959c42be4e1446a484a

  • SHA1

    731dcd588601885c1256d11faf2cf42f6663c4ca

  • SHA256

    e2e4dc4bdb2c491f7fc14b23c6cf587dcc29d213f1b174f50452cf6914280e19

  • SHA512

    8a818218b6d446e71cda2384e34309cfe8bbf4603cc8d3191d6e9e1761acf1d66bbdd98b2ca4699bddef63442d96661768d6dd1c46b7b29dd3788cee9123585f

  • SSDEEP

    3072:/YRyz6CrGHAz71P8fwlCP64kCshMR9T4d1Uy:ztrE4pkEs64tseR9K/

Score
10/10
amadeyredlinesmokeloadervidar1148kriptbackdoordiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes
  • auth_value

    80ebe4bab7a98a7ce9c75989ff9f40b4

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

vidar

Version

55.7

Botnet

1148

C2

https://t.me/deadftx

https://www.tiktok.com/@user6068972597711
Attributes
  • profile_id

    1148

Targets

    • Target

      517b3e8666e16e483d9e808b5dc1e906b71b314d8079e12e1b371f694ab58e85

    • Size

      162KB

    • MD5

      dc60563b71aa03fd9ba356d25e8f8eed

    • SHA1

      0715b7fa19279520ae5c70ce58da0bb4528b8dc4

    • SHA256

      517b3e8666e16e483d9e808b5dc1e906b71b314d8079e12e1b371f694ab58e85

    • SHA512

      c6b57a7ceed511bd6098f518dce5b2a475f69bd4efb08835b4f0523e1bb6e1ff78a2334ad8cfb9f6ae4e3fc8c5069830243acebae38016495d87da9fdaebf9e5

    • SSDEEP

      3072:Cvi3f6nct/HOad5StRcGuVBbeUipv0AvcL1Tat:Cmfxt/OzE3Hbspc6cL1Te

    Score
    10/10
    smokeloaderbackdoortrojanamadeyredlinevidar1148kriptdiscoveryinfostealerspywarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks