Resubmissions

22-02-2023 08:39

230222-kkja2sae46 10

21-02-2023 11:18

230221-neacqsee96 10

General

  • Target

    file.exe

  • Size

    3MB

  • Sample

    230221-neacqsee96

  • MD5

    16274daca70d541c57399c2156360124

  • SHA1

    4e5790cb7dbb3714d26140bd319410a90352c340

  • SHA256

    c0bfc01fc145322a9194eb2ca9d75285312805b577bcf8e6ca510d59389f4ab3

  • SHA512

    ecb87230f114d88c0adf791b32d682a97841991274e7654cd498420dc8da61e90738a04e757c3c08cf99df777e5486e4576f94157956f8ce0aba67c8e703cc53

  • SSDEEP

    98304:6CDrrzdb8PIJOvYWrn/LjdPUmTgebZ9X2IXd0v:zDvzdwgJhWrdxtbZl

Malware Config

Extracted

Family

vidar

Version

2.6

Botnet

813

Attributes
  • profile_id

    813

Extracted

Family

raccoon

Botnet

960d8047e2829c4b87de991d706e2490

C2

http://94.142.138.37/

rc4.plain

Targets

    • Target

      file.exe

    • Size

      3MB

    • MD5

      16274daca70d541c57399c2156360124

    • SHA1

      4e5790cb7dbb3714d26140bd319410a90352c340

    • SHA256

      c0bfc01fc145322a9194eb2ca9d75285312805b577bcf8e6ca510d59389f4ab3

    • SHA512

      ecb87230f114d88c0adf791b32d682a97841991274e7654cd498420dc8da61e90738a04e757c3c08cf99df777e5486e4576f94157956f8ce0aba67c8e703cc53

    • SSDEEP

      98304:6CDrrzdb8PIJOvYWrn/LjdPUmTgebZ9X2IXd0v:zDvzdwgJhWrdxtbZl

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

3
T1005

Tasks