Overview

overview

10

Static

static

1

2a1ad1edcd...5e.exe

windows7-x64

10

2a1ad1edcd...5e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2a1ad1edcd3d0cf806ecc5cacb6e21f30674e918294a35e5fc81c1a3ae757d5e

  • Size

    3.5MB

  • Sample

    240621-yjh6jszhpb

  • MD5

    462a3ad8ed13bcb7930f7c523d5f0b1a

  • SHA1

    5475667c7cefffc66f5f717bb761bc7341822283

  • SHA256

    2a1ad1edcd3d0cf806ecc5cacb6e21f30674e918294a35e5fc81c1a3ae757d5e

  • SHA512

    006b783939acd9ee0407189c7152820cd2436c191c6cbf6ac948134bc969731ae049b956d774e2c5881fcd65ff9d67216e7130417d4014f3a0f14612f28fdc5a

  • SSDEEP

    24576:I2GTk4jkJ/7atcTvs0hypYR4oBmH2Rza4WTUZsevouKE3730txXjHlEo88q5kKKi:JGTjjkirHWmpu5L6pbq52sXBnOpgZV0E

Score
10/10
redlineriseprostealcvidar56561c66bf3314a2b5cad65677212bfediscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

Version

10.1

Botnet

56561c66bf3314a2b5cad65677212bfe

C2

https://t.me/memve4erin

https://steamcommunity.com/profiles/76561199699680841
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Extracted

Family

risepro

C2

5.42.67.8:50500

Targets

    • Target

      2a1ad1edcd3d0cf806ecc5cacb6e21f30674e918294a35e5fc81c1a3ae757d5e

    • Size

      3.5MB

    • MD5

      462a3ad8ed13bcb7930f7c523d5f0b1a

    • SHA1

      5475667c7cefffc66f5f717bb761bc7341822283

    • SHA256

      2a1ad1edcd3d0cf806ecc5cacb6e21f30674e918294a35e5fc81c1a3ae757d5e

    • SHA512

      006b783939acd9ee0407189c7152820cd2436c191c6cbf6ac948134bc969731ae049b956d774e2c5881fcd65ff9d67216e7130417d4014f3a0f14612f28fdc5a

    • SSDEEP

      24576:I2GTk4jkJ/7atcTvs0hypYR4oBmH2Rza4WTUZsevouKE3730txXjHlEo88q5kKKi:JGTjjkirHWmpu5L6pbq52sXBnOpgZV0E

    Score
    10/10
    redlinestealcvidar56561c66bf3314a2b5cad65677212bfediscoveryinfostealerspywarestealerrisepro

    • Detect Vidar Stealer

      stealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables containing potential Windows Defender anti-emulation checks

    • Detects executables packed with Babel

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks