General

  • Target

    AppFile.zip

  • Size

    3.9MB

  • Sample

    240908-wfb7qa1fnf

  • MD5

    fe8e17f2a80b232771f467750878cf89

  • SHA1

    1dc3a9a726cd1e9c5b956205dfad1a108f78dc31

  • SHA256

    a929678e0919255b39a895fbcf7c721cb41c26288114a5ee29eee03ba98f959d

  • SHA512

    d90bdc57db037bb6d0cdf30888077ff9c086e522be8accb7005b674e6b7938c4f77e28a341a71248506b16218f2875d3751b01f3bf8abe285f346cf6f53a0c1c

  • SSDEEP

    49152:oQXHr7WmIY3UieP8aESUoeDOUrUex/zv+8ugnRBkDiYB3Gt/kuTdzdIQ8o492ymC:ocrN9UieaSgUOgioOq3kkAH8oav/

Malware Config

Extracted

Family

vidar

C2

https://t.me/fneogr

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

45.91.202.63:25415

Extracted

Family

cryptbot

C2

tventyv20sb.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      AppFile.exe

    • Size

      788.0MB

    • MD5

      646d4e033ab1c18a0dee46d350d2cd8a

    • SHA1

      1df7a96dd18d47b9efe1f11d4578f732946c4bea

    • SHA256

      05ced13ddfd87cb9aea7c237d8d75f095d2d4777e09c2788b4d866699eab2737

    • SHA512

      e4afd9c1bcd204c948807e8979a80477618dc28bb65d24560b01fbd247e31a3e3ad97ba22333095e4418e91c3ca8a9437dde8d9d5b14823965d34fc9e4efd1cc

    • SSDEEP

      98304:yLuoPuWVpfcieiS6I1i1GRehl/r07lgoKs:QJPuW/US6i1xht07l

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Detect Vidar Stealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks