Resubmissions
15-04-2024 19:48
240415-yjb28sgh2y 1015-04-2024 19:06
240415-xsd3hsdf75 715-04-2024 19:02
240415-xpws6afh4x 1015-04-2024 18:45
240415-xecmjadd57 1015-04-2024 18:42
240415-xcbbpaff61 1015-04-2024 18:39
240415-xaqctsff5v 1015-04-2024 18:35
240415-w8gb5sff3w 1015-04-2024 18:27
240415-w315csfe2x 1015-04-2024 18:23
240415-w1w3mafd5t 715-04-2024 18:10
240415-wsg9hach35 7General
-
Target
archive-150424-06_04_17.rar
-
Size
3.4MB
-
Sample
240415-yjb28sgh2y
-
MD5
d0789073c6342c5778ac61debb57ea10
-
SHA1
e444b28b30b72ef696d1bf2822bd7b98f034cff6
-
SHA256
298882eef447afb08c134245d29d689feb30431a4c8595da619f2038f6d8b615
-
SHA512
b17a0a71e3e6cfd543c154567af888b7028005d89d50defddac5c09d36786c3887474f1d1355f055068a86bd1594acd876dc4c00087e9a0fde20d2fd7556ddda
-
SSDEEP
98304:1ID9NQfNUp9P4QAIwMCSeLbSkdr7Jw1KXXsgg5PXTdSQ:qsN/m/CS417J5HlKdH
Behavioral task
behavioral1
Sample
setup.exe
Resource
win11-20240412-en
Malware Config
Extracted
vidar
https://steamcommunity.com/profiles/76561199673019888
https://t.me/irfail
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
vidar
RoInitialize
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.50:33080
Extracted
risepro
217.195.207.156:50500
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Extracted
socks5systemz
http://buxiguc.com/search/?q=67e28dd8395df37a1507f81b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffc13c1ef929b39
http://buxiguc.com/search/?q=67e28dd8395df37a1507f81b7c27d78406abdd88be4b12eab517aa5c96bd86ee9d8e4d835a8bbc896c58e713bc90c91936b5281fc235a925ed3e5cd6bd974a95129070b616e96cc92be510b866db51b9e34eed4c2b14a82966836f23d7f210c7ee96983acd689714
Targets
-
-
Target
setup.exe
-
Size
700.0MB
-
MD5
6d23d8dee5299700881a3e484eef8a9c
-
SHA1
43b0c7e5bea63447ef78225d76fb47c6b29a4381
-
SHA256
9383433f5dd673392f5dc01b0a8e84e063bf182cdb46fa49000a0b890f448240
-
SHA512
c98754f41c3f094dc4d39f486c9ac0b6f91977258ba1a347c0914c00e47bf995398a5c4572a8ea5d529a28c12a71b6bfb09869bd9187416e31978440b33a4e87
-
SSDEEP
49152:GnjzX9RG5mnTDunfqNMP9Pyz6DMPCMTbzdZEmqyXVSY+wfdH1rFuzi56M/cH1oYI:OD9cSfX69PvQP1vFqyXHvsnM/PbQi
-
Detect Vidar Stealer
-
Detect ZGRat V1
-
Glupteba payload
-
Modifies firewall policy service
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
4Windows Service
4Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
4Windows Service
4Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Virtualization/Sandbox Evasion
1Impair Defenses
2Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1