General
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
Family
vidar
Version
4.2
Botnet
28c8b36afa809659e21c14e7f6231b80
C2
https://t.me/rechnungsbetrag
https://t.me/prescilliouns
https://steamcommunity.com/profiles/76561199511129510
Attributes
-
profile_id_v2
28c8b36afa809659e21c14e7f6231b80
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75
Extracted
Family
amadey
Version
3.83
C2
62.182.156.152/so57Nst/index.php
Extracted
Family
systembc
C2
5.42.65.67:4298
localhost.exchange:4298
Targets
-
-
Target
https://serialkey360.com/ntlite/
-
SectopRAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-