Overview

overview

10

Static

static

760eaa8737...0f.exe

windows7-x64

10

760eaa8737...0f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    47d6ed6eb2b930ec19fba5a5f4bdb632.bin

  • Size

    201KB

  • Sample

    230123-krzavace54

  • MD5

    c1d1f5b00cdaf0ea6626ea1dbe9e32c0

  • SHA1

    382acef5e59882c4c97d3c88aad5484a8ec9003d

  • SHA256

    14a07677c0415e1985bccd51338ecaa73c08b4be5173b543f53b600ea3409807

  • SHA512

    80b4cf82c9987c4b5c2f07bb2e8ad2a11355aa84f4d6b27e22b531fa1f94ffbfab3abe732f8bcf9c54a49e96388772f361e1680a4e89dda9e9d2180282147b4a

  • SSDEEP

    3072:22TyRq6bXC4GFi+dVq6LTry88TgHaNIyJEjHqKTQLqFJFdSLZMlHfdSwaiRKaidI:22TyA2XC9FZqO3yLQjGDHqdgZEHsbax

Score
10/10
redlinesmokeloadervidar237anydesk-usabackdoordiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

2.1

Botnet

237

C2

https://t.me/jetbim2

https://steamcommunity.com/profiles/76561199471266194
Attributes
  • profile_id

    237

Extracted

Family

redline

Botnet

anydesk-usa

C2

89.163.146.82:25313

Attributes
  • auth_value

    3048255396a3eb3d3aa36222e7cab88d

Targets

    • Target

      760eaa8737908a36b3530d765ccfa47e049abdb2f3d8a77f11eddeebdeabd60f.exe

    • Size

      291KB

    • MD5

      47d6ed6eb2b930ec19fba5a5f4bdb632

    • SHA1

      9c71877c95162d128fa0f41603f433b5fa2a3b9a

    • SHA256

      760eaa8737908a36b3530d765ccfa47e049abdb2f3d8a77f11eddeebdeabd60f

    • SHA512

      692efbfc3abd927ff6a5a9f0e286e2d4c4946ade03c66d42843e4108e1a927d1d49a643c4b70c66b4ccc44530cda70d3dd17dc1e50fbcd5c987d1e98c292274d

    • SSDEEP

      6144:PCfW/LUkDQuABl5Z5XFhNm1vDhqYSlJZ9tzrSA3H:PSW/lD98tJFXADMVZ9P3

    Score
    10/10
    smokeloaderbackdoortrojanredlinevidar237anydesk-usadiscoveryinfostealerspywarestealer

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks