General

  • Target

    824f6917bdbc50b5dd169a5b51f0f550.bin

  • Size

    162KB

  • Sample

    230123-la1m1scf78

  • MD5

    c663c86fd9c974f85b44a90a0ecb6960

  • SHA1

    838564977484ec24c1a14961ff52c7c4fd8fe880

  • SHA256

    70e1d7c056b605dc306e8c815edc43c756b6018384ad4f5c8713f6d67b0fae22

  • SHA512

    27e459d050a646feed810d7fc96988dfebb138104ff301c0b54b8c14d3691232146751dedc68a6bd26f6c932515e0231b101d1ee083960d8cbc7336162a087f3

  • SSDEEP

    3072:cY/f6USfGDEFAwei3HcBBRqxjpyQPADqArftXebJ0mWv00qyk:cY/ofQEFveVBDqxjseiIl0J4

Malware Config

Extracted

Family

vidar

Version

2.1

Botnet

237

C2

https://t.me/jetbim2

https://steamcommunity.com/profiles/76561199471266194

Attributes
  • profile_id

    237

Extracted

Family

redline

Botnet

anydesk-usa

C2

89.163.146.82:25313

Attributes
  • auth_value

    3048255396a3eb3d3aa36222e7cab88d

Targets

    • Target

      8c62f343b74c4c5102996d1b039e5dc49d7aaf3ef504b1bd3265213de7c56308.exe

    • Size

      261KB

    • MD5

      824f6917bdbc50b5dd169a5b51f0f550

    • SHA1

      cb9b985b9b0d1bff57b06b4819fcf3c090747701

    • SHA256

      8c62f343b74c4c5102996d1b039e5dc49d7aaf3ef504b1bd3265213de7c56308

    • SHA512

      9ba6d7ecc8e19e8ed556b6acfb313d3a6511381f3c97fc19bd8115c88f292d2115c07781e596f17caa70f7b1ad49e338dcffa9395851efd32a729e5b19961eb2

    • SSDEEP

      3072:jXG21LOb5OdWzFwu4cVSNEjlAIeeIpM6KnI2VVCzgMe5LRFYUEA7:bzOwsCu4mafIf+M6r2zwUR

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Tasks