Overview

overview

10

Static

static

Payload.exe

windows10-2004-x64

10

Resubmissions

12/01/2023, 14:38

230112-rzz1nsca7s 10

12/01/2023, 14:17

230112-rl6lasgc34 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Payload.exe

  • Size

    625KB

  • Sample

    230112-rzz1nsca7s

  • MD5

    0dc00c7f7ab8e1d8d5a31d1756479e6f

  • SHA1

    54390f6d36d141ba00b32bb9759cbfe499f38a84

  • SHA256

    1761ef28bbe1f98687df84d540798d65f53975b23683140d3241f0f0cd784d85

  • SHA512

    f430b7d63d8543dc341f5871afad2cc45c4c3e75cb47c345f20820fe7505c10ad8deb5e049fbbaf81a76e8e3c3cc0fcca3f7ef70f6b593529e84ebe622dcb494

  • SSDEEP

    3072:NElc+orpNuOBo22K87Rt6LYDD++8i6YSG9jVmse3KU08E5WyK+W+Ay6T2Q1Ddshp:CWtrZzCt6LYDp8+SG9CAK+WznSYaN

Score
10/10
njratredlinevidar494discoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

1.8

Botnet

494

C2

https://t.me/year2023start

https://steamcommunity.com/profiles/76561199467421923
Attributes
  • profile_id

    494

Targets

    • Target

      Payload.exe

    • Size

      625KB

    • MD5

      0dc00c7f7ab8e1d8d5a31d1756479e6f

    • SHA1

      54390f6d36d141ba00b32bb9759cbfe499f38a84

    • SHA256

      1761ef28bbe1f98687df84d540798d65f53975b23683140d3241f0f0cd784d85

    • SHA512

      f430b7d63d8543dc341f5871afad2cc45c4c3e75cb47c345f20820fe7505c10ad8deb5e049fbbaf81a76e8e3c3cc0fcca3f7ef70f6b593529e84ebe622dcb494

    • SSDEEP

      3072:NElc+orpNuOBo22K87Rt6LYDD++8i6YSG9jVmse3KU08E5WyK+W+Ay6T2Q1Ddshp:CWtrZzCt6LYDp8+SG9CAK+WznSYaN

    Score
    10/10
    njratredlinevidar494discoveryinfostealerpersistencespywarestealertrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks