Overview

overview

10

Static

static

89fcd98519...cf.exe

windows7-x64

10

89fcd98519...cf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e00ee2b99a1b73170abfc6f2b6006859.bin

  • Size

    133KB

  • Sample

    230123-l3crnacg79

  • MD5

    e308c78743fd9ac7f8aed0fcf589d341

  • SHA1

    a2feb0f93dcc46e24ee107993488b31cde51bb3c

  • SHA256

    1a47b3bcc6e13043d56a2eca93f89c5abd6b75b1a31eeb0e04e7358edd4409a0

  • SHA512

    e17dea446999f60b90088c6f780ce8fc18de43e2d7c93b923f949a163dfb017b4b2f48946d2d6afceda473e91d451433af50441595f8e62ebd60e81754270959

  • SSDEEP

    3072:u2PZM8xXT6MaeY/x4342gPNChc+m50+mD5WBG/sOL4LV2:lZNj677x4DcwDgBG/nL4Q

Score
10/10
redlinesmokeloadervidar237anydesk-usabackdoordiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

2.1

Botnet

237

C2

https://t.me/jetbim2

https://steamcommunity.com/profiles/76561199471266194
Attributes
  • profile_id

    237

Extracted

Family

redline

Botnet

anydesk-usa

C2

89.163.146.82:25313

Attributes
  • auth_value

    3048255396a3eb3d3aa36222e7cab88d

Targets

    • Target

      89fcd985190ac07b1f244e1b372c0ef9b5a18f4bcffeac8b559f2db6affabdcf.exe

    • Size

      210KB

    • MD5

      e00ee2b99a1b73170abfc6f2b6006859

    • SHA1

      b0051063d3c2d31496a749651ab51dcf20311e9d

    • SHA256

      89fcd985190ac07b1f244e1b372c0ef9b5a18f4bcffeac8b559f2db6affabdcf

    • SHA512

      c854152f3f2688b4786ae7cc86800d8fa61ef3c085faa7f5e9dd3a8431083d04e1356b6b685acefcaca2454aade965fb0214d151c34c0e30e47a772e82688800

    • SSDEEP

      3072:GXDbSdwTyJuW35s4xAZFDItQC6tgb2OtxWWrwapb:uKrJuWN+WWtgbVjp

    Score
    10/10
    smokeloaderbackdoortrojanredlinevidar237anydesk-usadiscoveryinfostealerspywarestealer

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks