Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

1

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    1.6MB

  • Sample

    230324-f86n2aee7v

  • MD5

    e5f500ae2fdb4ab9f6be5475964ec5c7

  • SHA1

    a9227afc32e5ce7722c8927f4c3f8c7b26da9923

  • SHA256

    bc3806f66884b0cca0e04cd6ec09f391f5ea3855e3ce6bd621e04706ece5e6ed

  • SHA512

    768916e73c77bed2394e428621ae39521f8ebcff2a4b367f9ae1510165aacb1f29a04953845a8026f3f5ee10123cadbf929e3b2ed0117f6f3b8c9d13e681c366

  • SSDEEP

    49152:OhWTfPjDurtiIIMmk7Shxtj+EXQW054yobLhT:rDXInmGShDJXQW054yqhT

Score
10/10
redlinevidarba1fc89d9f7df84dadf34886aabb246cmix1infostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

mix1

C2

80.85.157.78:13331

Attributes
  • auth_value

    4f9b36b8bfdf2607d3f0e623584037e2

Extracted

Family

vidar

Version

3.1

Botnet

ba1fc89d9f7df84dadf34886aabb246c

C2

https://t.me/owned001

http://65.109.236.2:80

https://t.me/tabootalks

https://steamcommunity.com/profiles/76561199472266392

http://135.181.26.183:80
Attributes
  • profile_id_v2

    ba1fc89d9f7df84dadf34886aabb246c

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Targets

    • Target

      tmp

    • Size

      1.6MB

    • MD5

      e5f500ae2fdb4ab9f6be5475964ec5c7

    • SHA1

      a9227afc32e5ce7722c8927f4c3f8c7b26da9923

    • SHA256

      bc3806f66884b0cca0e04cd6ec09f391f5ea3855e3ce6bd621e04706ece5e6ed

    • SHA512

      768916e73c77bed2394e428621ae39521f8ebcff2a4b367f9ae1510165aacb1f29a04953845a8026f3f5ee10123cadbf929e3b2ed0117f6f3b8c9d13e681c366

    • SSDEEP

      49152:OhWTfPjDurtiIIMmk7Shxtj+EXQW054yobLhT:rDXInmGShDJXQW054yqhT

    Score
    10/10
    redlinevidarba1fc89d9f7df84dadf34886aabb246cmix1infostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Loads dropped DLL

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks