Overview

overview

10

Static

static

740f7721be...f2.exe

windows7-x64

10

740f7721be...f2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ecb41ffa4f12fbe99b2a53141ec9f240.bin

  • Size

    3.6MB

  • Sample

    230120-rhbxhsgb2v

  • MD5

    5b885753a7fea6906925b937291c3bcc

  • SHA1

    0dda7f35506c0c1977a31327bb889d1b4f6ad6ef

  • SHA256

    e159f861102f4da97e02be9ffefd72254bb9b2a92bf7d16ea6ef8c53800b17de

  • SHA512

    9fe16b0a6a27ff9c5bf014aa9a81f4a24d3148d0680534c69d5cb17ae44f24ac81505867122da14b5cecb97aea527f5ac18db0f10f9a356ac29091daa1759210

  • SSDEEP

    98304:bgfJeLp3Bx4w6X5NK5XdCvxpD3op+WAz6W:bghenaRXf80vjUOF

Score
10/10
purecryptervidar811discoverydownloaderloaderpersistencespywarestealer

Malware Config

Extracted

Family

purecrypter

C2

https://atomm.com.br/.well-known/acme-challenge/bo/Xmwlki.dll

Extracted

Family

vidar

Version

1.9

Botnet

811

C2

https://t.me/travelticketshop

https://steamcommunity.com/profiles/76561199469016299
Attributes
  • profile_id

    811

Targets

    • Target

      740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe

    • Size

      3.9MB

    • MD5

      ecb41ffa4f12fbe99b2a53141ec9f240

    • SHA1

      68c7c9a49c519319aba55bf686f2388ee782208d

    • SHA256

      740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2

    • SHA512

      1b4f1b2225663e986be31d3aabe1491d443eb192e9b34e0aec6c7146a01bd0d350b3f417fa68a41ee3645a367175de59ebf66165cd718e4f1529f7fa3c6b6e89

    • SSDEEP

      98304:x8vnvI2bIjGMWwAQ1cdLr3AG3cLMgs7T9/7AwCYyLb+P:Ung2QGMIxLEGMLMlx/7Zcv+P

    Score
    10/10
    purecrypterdownloaderloaderpersistencespywarestealervidar811discovery

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks