General

  • Target

    47c96fae088849b0688d8fb9b9bc912d.exe

  • Size

    194KB

  • Sample

    230123-khkfbseb7s

  • MD5

    47c96fae088849b0688d8fb9b9bc912d

  • SHA1

    3f7056c88cc969839da1bec05d5377e9a030710c

  • SHA256

    0d768d53c48bad8d7d80f7865d4037dcb695554d746cc47a088b4d82a0f2de26

  • SHA512

    178841cb476ff98cd866a0bec87b47b11483596b461ad4106da16061ff7eb3909543addd4c001bfc9df6c7072d8925447c59763fd65a507ed76fcbb1c75d248c

  • SSDEEP

    3072:PBN0XqPk+S8LWvFSS5pG9RBOh/dNOZMpp/6ayUfF6MK+uO/MG4Y:JiqLWNSUqRUHNTpp/oUfIL+uO//4

Malware Config

Extracted

Family

vidar

Version

2.1

Botnet

237

C2

https://t.me/jetbim2

https://steamcommunity.com/profiles/76561199471266194

Attributes
  • profile_id

    237

Extracted

Family

redline

Botnet

anydesk-usa

C2

89.163.146.82:25313

Attributes
  • auth_value

    3048255396a3eb3d3aa36222e7cab88d

Targets

    • Target

      47c96fae088849b0688d8fb9b9bc912d.exe

    • Size

      194KB

    • MD5

      47c96fae088849b0688d8fb9b9bc912d

    • SHA1

      3f7056c88cc969839da1bec05d5377e9a030710c

    • SHA256

      0d768d53c48bad8d7d80f7865d4037dcb695554d746cc47a088b4d82a0f2de26

    • SHA512

      178841cb476ff98cd866a0bec87b47b11483596b461ad4106da16061ff7eb3909543addd4c001bfc9df6c7072d8925447c59763fd65a507ed76fcbb1c75d248c

    • SSDEEP

      3072:PBN0XqPk+S8LWvFSS5pG9RBOh/dNOZMpp/6ayUfF6MK+uO/MG4Y:JiqLWNSUqRUHNTpp/oUfIL+uO//4

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Tasks