Overview

overview

10

Static

static

3

005bcf0514...c8.exe

windows7-x64

3

005bcf0514...c8.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    005bcf051418d05c2750b593278c9fc8.exe.bin

  • Size

    6KB

  • Sample

    230511-w67rbabd6s

  • MD5

    005bcf051418d05c2750b593278c9fc8

  • SHA1

    3425e499c953eefad59edde4f83e1c04687799c7

  • SHA256

    9b6573b930e72d319ef4efa0975ff1b59673f96633a03d5e338bc8d7418418f4

  • SHA512

    25faa9966fa531c948c00c2454427220ba79d28230fdac1aec0a5793983d07ff2d71dba0b122bcc5bc24abb1fd18586fe2d4215d796eb9b0ba1d55099538f679

  • SSDEEP

    96:MEOIQNVjrXcWD7RtwkYv1X5Yp7svNzNt:MFIojrsWHnwkYv1XyIn

Score
10/10
lokibotredlinesystembcvidar06.05 youtubemixerinfostealerpyinstallerspywarestealertrojanupx

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.85/fresh/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

redline

Botnet

06.05 youtube

C2

23.226.129.17:20619

Attributes
  • auth_value

    21645ccdf8187508e3b133b1d80a162e

Extracted

Family

redline

Botnet

mixer

C2

185.161.248.75:4132

Attributes
  • auth_value

    3668eba4f0cb1021a9e9ed55e76ed85e

Targets

    • Target

      005bcf051418d05c2750b593278c9fc8.exe.bin

    • Size

      6KB

    • MD5

      005bcf051418d05c2750b593278c9fc8

    • SHA1

      3425e499c953eefad59edde4f83e1c04687799c7

    • SHA256

      9b6573b930e72d319ef4efa0975ff1b59673f96633a03d5e338bc8d7418418f4

    • SHA512

      25faa9966fa531c948c00c2454427220ba79d28230fdac1aec0a5793983d07ff2d71dba0b122bcc5bc24abb1fd18586fe2d4215d796eb9b0ba1d55099538f679

    • SSDEEP

      96:MEOIQNVjrXcWD7RtwkYv1X5Yp7svNzNt:MFIojrsWHnwkYv1XyIn

    Score
    10/10
    lokibotredlinesystembcvidar06.05 youtubemixerinfostealerpyinstallerspywarestealertrojanupx

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks