General

  • Target

    37e7a0cb57d41de9d7c3224ea706d956.exe

  • Size

    329KB

  • Sample

    230123-kbvbyscd78

  • MD5

    37e7a0cb57d41de9d7c3224ea706d956

  • SHA1

    6464fb777364a70bf9fb53963edfe114d884842a

  • SHA256

    7e3cdf01398c97f906a619d9a8234cb25029084cbc8ff54a927e903df7cf2f9d

  • SHA512

    dd373babbd100c38b6bfadc2a24f1cfdf9b48e8234c0fb34118ae2b0825b5c3d88e74f7c9796f14ba9e11d6ceeb564db575be97c2aa9e57742c4021af6f5c7e9

  • SSDEEP

    6144:EDL1ZK+S+qctFrMlta7mwGsztQK/fu1d0xrhRE9mTbV:EDxZlt+zwmetQKXu1yNM

Malware Config

Extracted

Family

redline

Botnet

anydesk-usa

C2

89.163.146.82:25313

Attributes
  • auth_value

    3048255396a3eb3d3aa36222e7cab88d

Extracted

Family

vidar

Version

2.1

Botnet

237

C2

https://t.me/jetbim2

https://steamcommunity.com/profiles/76561199471266194

Attributes
  • profile_id

    237

Targets

    • Target

      37e7a0cb57d41de9d7c3224ea706d956.exe

    • Size

      329KB

    • MD5

      37e7a0cb57d41de9d7c3224ea706d956

    • SHA1

      6464fb777364a70bf9fb53963edfe114d884842a

    • SHA256

      7e3cdf01398c97f906a619d9a8234cb25029084cbc8ff54a927e903df7cf2f9d

    • SHA512

      dd373babbd100c38b6bfadc2a24f1cfdf9b48e8234c0fb34118ae2b0825b5c3d88e74f7c9796f14ba9e11d6ceeb564db575be97c2aa9e57742c4021af6f5c7e9

    • SSDEEP

      6144:EDL1ZK+S+qctFrMlta7mwGsztQK/fu1d0xrhRE9mTbV:EDxZlt+zwmetQKXu1yNM

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Tasks