General

  • Target

    0ea70b4d192bf72d3e9cd91e7ae35879f16ae0faf3a5059452ffe1a784678438

  • Size

    194KB

  • Sample

    230122-2ffsssbh7x

  • MD5

    d2e6266e18512b5edc6f7151b23bcb7c

  • SHA1

    905218200231d6aa5d4bf049634a74ca7635b672

  • SHA256

    0ea70b4d192bf72d3e9cd91e7ae35879f16ae0faf3a5059452ffe1a784678438

  • SHA512

    6f1b9b6dd8217a27960dd1062f83bfafb6fddd75ef900e0f471ab05d467899bafb2b6234bb80541f5f21869038020ed7f7b33170d7ddcb28f28f29989492c281

  • SSDEEP

    3072:qBN0X6cVM0vLUOYylA5t4iXM3xNcW+ej096VWL4LQsmwLN2m:+iHLUOZlIDoMWr0sWeQshLM

Malware Config

Extracted

Family

vidar

Version

2.1

Botnet

237

C2

https://t.me/jetbim2

https://steamcommunity.com/profiles/76561199471266194

Attributes
  • profile_id

    237

Extracted

Family

redline

Botnet

anydesk-usa

C2

89.163.146.82:25313

Attributes
  • auth_value

    3048255396a3eb3d3aa36222e7cab88d

Targets

    • Target

      0ea70b4d192bf72d3e9cd91e7ae35879f16ae0faf3a5059452ffe1a784678438

    • Size

      194KB

    • MD5

      d2e6266e18512b5edc6f7151b23bcb7c

    • SHA1

      905218200231d6aa5d4bf049634a74ca7635b672

    • SHA256

      0ea70b4d192bf72d3e9cd91e7ae35879f16ae0faf3a5059452ffe1a784678438

    • SHA512

      6f1b9b6dd8217a27960dd1062f83bfafb6fddd75ef900e0f471ab05d467899bafb2b6234bb80541f5f21869038020ed7f7b33170d7ddcb28f28f29989492c281

    • SSDEEP

      3072:qBN0X6cVM0vLUOYylA5t4iXM3xNcW+ej096VWL4LQsmwLN2m:+iHLUOZlIDoMWr0sWeQshLM

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Tasks