General
-
Target
AppFile.zip
-
Size
3.9MB
-
Sample
240908-wfb7qa1fnf
-
MD5
fe8e17f2a80b232771f467750878cf89
-
SHA1
1dc3a9a726cd1e9c5b956205dfad1a108f78dc31
-
SHA256
a929678e0919255b39a895fbcf7c721cb41c26288114a5ee29eee03ba98f959d
-
SHA512
d90bdc57db037bb6d0cdf30888077ff9c086e522be8accb7005b674e6b7938c4f77e28a341a71248506b16218f2875d3751b01f3bf8abe285f346cf6f53a0c1c
-
SSDEEP
49152:oQXHr7WmIY3UieP8aESUoeDOUrUex/zv+8ugnRBkDiYB3Gt/kuTdzdIQ8o492ymC:ocrN9UieaSgUOgioOq3kkAH8oav/
Static task
static1
Behavioral task
behavioral1
Sample
AppFile.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
AppFile.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
AppFile.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
AppFile.exe
Resource
win11-20240802-en
Malware Config
Extracted
vidar
https://t.me/fneogr
https://t.me/edm0d
https://steamcommunity.com/profiles/76561199768374681
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
45.91.202.63:25415
Extracted
cryptbot
tventyv20sb.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Targets
-
-
Target
AppFile.exe
-
Size
788.0MB
-
MD5
646d4e033ab1c18a0dee46d350d2cd8a
-
SHA1
1df7a96dd18d47b9efe1f11d4578f732946c4bea
-
SHA256
05ced13ddfd87cb9aea7c237d8d75f095d2d4777e09c2788b4d866699eab2737
-
SHA512
e4afd9c1bcd204c948807e8979a80477618dc28bb65d24560b01fbd247e31a3e3ad97ba22333095e4418e91c3ca8a9437dde8d9d5b14823965d34fc9e4efd1cc
-
SSDEEP
98304:yLuoPuWVpfcieiS6I1i1GRehl/r07lgoKs:QJPuW/US6i1xht07l
-
Detect Vidar Stealer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4