General

  • Target

    6ea12df430364986e22d11e6793a493b.exe

  • Size

    195KB

  • Sample

    230123-kbvbyseb5s

  • MD5

    6ea12df430364986e22d11e6793a493b

  • SHA1

    075f0b6c0f9e9c3a2d5988535b83ce625eba9e86

  • SHA256

    fe47d357dda7d18ae16d0c1dc046375d332d8aa1b373c9d37d97e2e6a8b50b0d

  • SHA512

    ec22105faf9ec8fcb018f778a1dfc7b085f8b39ebf957dcd5a5547de2826e5409cffb2b10f9ee5fd362fd07284910319a2161b31f836dd4e55b9ee90805aa8ef

  • SSDEEP

    3072:JBN0XCo3pTLT0FFbcEqjO5k3AyVNCLZp2ie9Dq1oFNKj4ygN9a9VUH4fNN:PinLYoEqjYZX14ggqa

Malware Config

Extracted

Family

vidar

Version

2.1

Botnet

237

C2

https://t.me/jetbim2

https://steamcommunity.com/profiles/76561199471266194

Attributes
  • profile_id

    237

Extracted

Family

redline

Botnet

anydesk-usa

C2

89.163.146.82:25313

Attributes
  • auth_value

    3048255396a3eb3d3aa36222e7cab88d

Targets

    • Target

      6ea12df430364986e22d11e6793a493b.exe

    • Size

      195KB

    • MD5

      6ea12df430364986e22d11e6793a493b

    • SHA1

      075f0b6c0f9e9c3a2d5988535b83ce625eba9e86

    • SHA256

      fe47d357dda7d18ae16d0c1dc046375d332d8aa1b373c9d37d97e2e6a8b50b0d

    • SHA512

      ec22105faf9ec8fcb018f778a1dfc7b085f8b39ebf957dcd5a5547de2826e5409cffb2b10f9ee5fd362fd07284910319a2161b31f836dd4e55b9ee90805aa8ef

    • SSDEEP

      3072:JBN0XCo3pTLT0FFbcEqjO5k3AyVNCLZp2ie9Dq1oFNKj4ygN9a9VUH4fNN:PinLYoEqjYZX14ggqa

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Tasks