General

  • Target

    Avira Phantom VPN Pro 6.15.5.29838 + Crack.exe

  • Size

    18.2MB

  • Sample

    230722-hbj5waad21

  • MD5

    e83dfec3d65628d4fe12769f945d5319

  • SHA1

    cb5f70209764fb896194ed404de853620b516df3

  • SHA256

    424dab10db336ac20ed0d8ba3e3b8b9b9d28c7804763ae89aa63654ce68b8b33

  • SHA512

    1f70729751d9d06a9037579569c05d469002a3af5db8c350446eacf082b1f603b7b861152ba674bb382093a93f7f9457812d3095eb4a5479f45b0e0fa5edfe42

  • SSDEEP

    393216:o7e6YyiB+9+b7e6hyiB+9+b7e6hoiB+9+b7e6hoiB+9+L7e6ko9V:o7/Yt7/ht7/h77/hr7/7

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

redline

Botnet

0307

C2

n57b30a.info:81

Attributes
  • auth_value

    390c6775aa14de995353715489c650e9

Extracted

Family

vidar

Version

4.8

Botnet

https://t.me/sundayevent

C2

https://t.me/sundayevent

https://steamcommunity.com/profiles/76561198982268531

Attributes
  • profile_id_v2

    https://t.me/sundayevent

  • user_agent

    Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9

Targets

    • Target

      Avira Phantom VPN Pro 6.15.5.29838 + Crack.exe

    • Size

      18.2MB

    • MD5

      e83dfec3d65628d4fe12769f945d5319

    • SHA1

      cb5f70209764fb896194ed404de853620b516df3

    • SHA256

      424dab10db336ac20ed0d8ba3e3b8b9b9d28c7804763ae89aa63654ce68b8b33

    • SHA512

      1f70729751d9d06a9037579569c05d469002a3af5db8c350446eacf082b1f603b7b861152ba674bb382093a93f7f9457812d3095eb4a5479f45b0e0fa5edfe42

    • SSDEEP

      393216:o7e6YyiB+9+b7e6hyiB+9+b7e6hoiB+9+b7e6hoiB+9+L7e6ko9V:o7/Yt7/ht7/h77/hr7/7

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies Windows Defender notification settings

    • Modifies security service

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Sets file execution options in registry

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks