General

  • Target

    37ae53ead74452038b0c77abd3302258.exe

  • Size

    5KB

  • Sample

    230819-mbcs1saf2y

  • MD5

    37ae53ead74452038b0c77abd3302258

  • SHA1

    a94fcde275f0cc5a6257591681eff73949006d62

  • SHA256

    ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360

  • SHA512

    5f43ab309aeda971eaad5beafc62d3a7170ba2c9e859f116d4e1242d0f42a22b0b69695d7e23b761b70d0cf2b122d775b7e3347de11a2ab7173f14cb8bdf053f

  • SSDEEP

    96:1EKnowbuz1quz1Sluz1nj3x/64PVDUtLvNv8ScpF/kVzNt:1HnoY0q0Sl0npVV2Lvh8JKv

Malware Config

Extracted

Family

redline

C2

94.142.138.147:23000

38.181.25.43:3325

Attributes
  • auth_value

    ccff08893879012905ea16489b7e8ced

Extracted

Family

lokibot

C2

http://194.55.224.9/fresh1/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://2.59.254.19/fresh2/five/fre.php

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

vidar

Version

5.2

Botnet

980843ac508a7fe8f556d42e4c5cfb54

C2

https://t.me/odyssey_tg

https://steamcommunity.com/profiles/76561199541261200

Attributes
  • profile_id_v2

    980843ac508a7fe8f556d42e4c5cfb54

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.30 (KHTML, like Gecko) Chrome/115.0.1.0 Safari/537.30

Extracted

Family

vidar

Version

5.1

Botnet

6ba937c4f557f3e5e256c94548f72a29

C2

https://t.me/tatlimark

https://steamcommunity.com/profiles/76561199536605936

Attributes
  • profile_id_v2

    6ba937c4f557f3e5e256c94548f72a29

Targets

    • Target

      37ae53ead74452038b0c77abd3302258.exe

    • Size

      5KB

    • MD5

      37ae53ead74452038b0c77abd3302258

    • SHA1

      a94fcde275f0cc5a6257591681eff73949006d62

    • SHA256

      ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360

    • SHA512

      5f43ab309aeda971eaad5beafc62d3a7170ba2c9e859f116d4e1242d0f42a22b0b69695d7e23b761b70d0cf2b122d775b7e3347de11a2ab7173f14cb8bdf053f

    • SSDEEP

      96:1EKnowbuz1quz1Sluz1nj3x/64PVDUtLvNv8ScpF/kVzNt:1HnoY0q0Sl0npVV2Lvh8JKv

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Async RAT payload

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks