Overview

overview

10

Static

static

37e7a0cb57...56.exe

windows7-x64

10

37e7a0cb57...56.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    37e7a0cb57d41de9d7c3224ea706d956.exe

  • Size

    329KB

  • Sample

    230123-kbvbyscd78

  • MD5

    37e7a0cb57d41de9d7c3224ea706d956

  • SHA1

    6464fb777364a70bf9fb53963edfe114d884842a

  • SHA256

    7e3cdf01398c97f906a619d9a8234cb25029084cbc8ff54a927e903df7cf2f9d

  • SHA512

    dd373babbd100c38b6bfadc2a24f1cfdf9b48e8234c0fb34118ae2b0825b5c3d88e74f7c9796f14ba9e11d6ceeb564db575be97c2aa9e57742c4021af6f5c7e9

  • SSDEEP

    6144:EDL1ZK+S+qctFrMlta7mwGsztQK/fu1d0xrhRE9mTbV:EDxZlt+zwmetQKXu1yNM

Score
10/10
redlinesmokeloadervidar237anydesk-usabackdoordiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

anydesk-usa

C2

89.163.146.82:25313

Attributes
  • auth_value

    3048255396a3eb3d3aa36222e7cab88d

Extracted

Family

vidar

Version

2.1

Botnet

237

C2

https://t.me/jetbim2

https://steamcommunity.com/profiles/76561199471266194
Attributes
  • profile_id

    237

Targets

    • Target

      37e7a0cb57d41de9d7c3224ea706d956.exe

    • Size

      329KB

    • MD5

      37e7a0cb57d41de9d7c3224ea706d956

    • SHA1

      6464fb777364a70bf9fb53963edfe114d884842a

    • SHA256

      7e3cdf01398c97f906a619d9a8234cb25029084cbc8ff54a927e903df7cf2f9d

    • SHA512

      dd373babbd100c38b6bfadc2a24f1cfdf9b48e8234c0fb34118ae2b0825b5c3d88e74f7c9796f14ba9e11d6ceeb564db575be97c2aa9e57742c4021af6f5c7e9

    • SSDEEP

      6144:EDL1ZK+S+qctFrMlta7mwGsztQK/fu1d0xrhRE9mTbV:EDxZlt+zwmetQKXu1yNM

    Score
    10/10
    smokeloaderbackdoortrojanredlinevidar237anydesk-usadiscoveryinfostealerspywarestealer

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks