Overview

overview

10

Static

static

3

Keygen.exe

windows7-x64

10

Keygen.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Keygen.zip

  • Size

    2MB

  • Sample

    230622-vbr7psfd93

  • MD5

    777982ebb5c620fcaf4c5e86e9aeed47

  • SHA1

    9234d27ec1f49e98384e9309f507cd31a9871360

  • SHA256

    cbb8f5805487e2d2be102b27efc4d99af9c13abea1705bc12682c15c34850c8e

  • SHA512

    041e556cb0a81878891bdc49c87b948dda621e7a6196de210482edeb9655ef0e01eb25cfdeb28286e9fd13cc881c6ae621ef6850a210d2199b9c18cdf486d138

  • SSDEEP

    49152:7eodmzLiO0yDPqfHjzAYI2O7SFh/8nv4wbs4KJ7hfSi/od1vh6ze7k4kSRzeLAD:7ecmni2pYI2og/Wfb6lKi/od1vh6zMko

Score
10/10
gcleanernetsupportredlinevidar19f58bcb3813bb0d3c7a7a048ae145e6bdiscoveryevasioninfostealerloaderpersistenceratspywarestealer

Malware Config

Extracted

Family

redline

Botnet

1

C2

95.216.249.153:81

Attributes
  • auth_value

    a290efd4796d37556cc5af7e83c91346

Extracted

Family

vidar

Version

4.4

Botnet

9f58bcb3813bb0d3c7a7a048ae145e6b

C2

https://steamcommunity.com/profiles/76561199235044780

https://t.me/headlist
Attributes
  • profile_id_v2

    9f58bcb3813bb0d3c7a7a048ae145e6b

  • user_agent

    Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD91D; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.124 Safari/537.36

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Targets

    • Target

      Keygen.exe

    • Size

      3MB

    • MD5

      59c32d48277474cbf18676cca36705d1

    • SHA1

      0599c381a26c94302d8a8fb4b8dcf2a6a599635b

    • SHA256

      cecb3e64aedca4f47e635529713724e71c07de23949e93ab0f211bb82bae63d0

    • SHA512

      ecf6d93ae7099c6feb03023d1b5370e2261ff70c8aad797e18f032b1fab7199cb9500b082e8790c8b3b3f2c5b370c79b20012d22acfe26a0cc3ebc87f5f17c8e

    • SSDEEP

      98304:cSiMCSdYa4SKNe1bYdM+DidXvh6d204OOR5qj8:NCSe+1bYdtgJ6M8YYQ

    Score
    10/10
    gcleanernetsupportredlinevidar19f58bcb3813bb0d3c7a7a048ae145e6bdiscoveryinfostealerloaderpersistenceratspywarestealerevasion

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

6
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks