Resubmissions

07/05/2023, 15:33

230507-szpelsfb23 10

07/05/2023, 09:24

230507-ldawrsga3z 10

General

  • Target

    zbyl.exe

  • Size

    1.7MB

  • Sample

    230507-ldawrsga3z

  • MD5

    4f24c94182a964c6706c1920a73822c0

  • SHA1

    5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

  • SHA256

    45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

  • SHA512

    d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

  • SSDEEP

    49152:zsRpndZn496l3tGPHbbe2q6d5axY5zGbpSFUxTJ:zsRfZn4gVKeOwozwRv

Malware Config

Extracted

Family

vidar

Version

3.6

Botnet

9bd43ccedb1e82a38795147b462c1fe9

C2

https://steamcommunity.com/profiles/76561199499188534

https://t.me/nutalse

Attributes
  • profile_id_v2

    9bd43ccedb1e82a38795147b462c1fe9

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      zbyl.exe

    • Size

      1.7MB

    • MD5

      4f24c94182a964c6706c1920a73822c0

    • SHA1

      5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

    • SHA256

      45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

    • SHA512

      d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

    • SSDEEP

      49152:zsRpndZn496l3tGPHbbe2q6d5axY5zGbpSFUxTJ:zsRfZn4gVKeOwozwRv

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Async RAT payload

    • Downloads MZ/PE file

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks