Overview

overview

10

Static

static

3

infected/F...98.exe

windows7-x64

7

infected/F...98.exe

windows10-2004-x64

7

infected/I...er.exe

windows10-2004-x64

10

infected/R...ed.exe

windows7-x64

10

infected/R...ed.exe

windows10-2004-x64

10

infected/S...64.exe

windows7-x64

10

infected/S...64.exe

windows10-2004-x64

10

infected/b...kO.exe

windows7-x64

7

infected/b...kO.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4c7081148a218b609dca62b2ce1106e4a2e075671b0fb64352056cd6e58e7873

  • Size

    18.7MB

  • Sample

    241105-c4hvmasfpb

  • MD5

    108f04f34103c17df326ed15796773af

  • SHA1

    cfe188485d181f32a411bf74480d367776e79143

  • SHA256

    4c7081148a218b609dca62b2ce1106e4a2e075671b0fb64352056cd6e58e7873

  • SHA512

    5cfe0a93c161cb0b1ddb1fe4296b5bccca41d1d450988b21fe3c925128f2e24d4b781c849d442325d849f2ab31187f9b5749a475e072b2ceb7a70d2f09f879e1

  • SSDEEP

    393216:It2dL3J4poAWVA+3v0djDRlzlear0T5MmkoDHl7fAH//M75bv13O:IEdL3J2WgxlzQaroj1bl74H/Y5bv1e

Score
10/10
purecrypterredlinevidar814discoverydownloaderinfostealerloaderpersistencestealer

Malware Config

Extracted

Family

purecrypter

C2

https://falcaoliderfm.com.br/wp-admin/images/css/cover/bo/Jvizg.dll

Extracted

Family

redline

C2

82.115.223.46:57672

Attributes
  • auth_value

    422677a3af554849aa4fba45f91db2d0

Extracted

Family

vidar

Version

1.8

Botnet

814

C2

https://t.me/year2023start

https://steamcommunity.com/profiles/76561199467421923

http://65.108.93.119:80
Attributes
  • profile_id

    814

Targets

    • Target

      infected/Furk Ultra_10298.exe

    • Size

      8.7MB

    • MD5

      98194b1fd3ceea50438976b40ea59d05

    • SHA1

      ed918fbb5765aa91e5c9d2c492ec00667478ac35

    • SHA256

      3e091df4051e6b0859c2142a0869a415e5968c20edb5e9a60fcd077f7b61be19

    • SHA512

      9587acb23ee51e4743c5399b78b64f2a0e87e2413cd56e220df8c08ebe0f352ac0ca83c1826f09718876a6248057e9cbac0f38ee725de83b4ca7de4f805f30bf

    • SSDEEP

      196608:wu6nOE62LOa8ewFCrqNeuUG59Fa9FVDNWXVkHo/ly:MOb2C6wFCrqNZ529PDNs2Ho/k

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      infected/Installer.exe

    • Size

      677.9MB

    • MD5

      3709aaf7e625bfd4dfef3ceba18ccc4a

    • SHA1

      17fcf830d2cf2c4a016fb438cae8bf065cc55b24

    • SHA256

      9440450e86e40c1116742e77b3e97ddb5c4d4d149d9c36d0e1e5c156ddb85cd1

    • SHA512

      4ea3c2ef3226b7ed9adb966708b70dd79d6295ea603a23f34b6cada7346ce08bb2f95b2ff686ee922060ab387c5a22b34ee082d23f1d69ccf3fc46036c04c000

    • SSDEEP

      3072:gahKyd2n31z5vWp1icKAArDZz4N9GhbkENEkYg6Au/TXlbodEgY:gahOCp0yN90vEXgMrXleEd

    Score
    10/10
    purecrypterdiscoverydownloaderloaderpersistence

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Purecrypter family

      purecrypter

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      infected/RobloxSynapceX Cracked.exe

    • Size

      521KB

    • MD5

      0afb47c295e5bc185b8272dc5a8967b6

    • SHA1

      5cedced75b7fc0a2f3457e9ff4e0c98b171b9ccb

    • SHA256

      0a7431f4637b27f103a4fb6d8cca52248cb4c7a77c8dd5500ca351c45c355320

    • SHA512

      03f49b5f06ebfb4ee42b1e82ad36515a34823904b9d7b3c28e99d9345b2052ea689552e8b9c39b4ca47efa5dbf60ab98cf325397e4be68c759777d7cdd7823dc

    • SSDEEP

      12288:O8DF2BeDFTYaOCaDecRe6kFfo13yzbVMyVS:O8DF2wDFTYaCY6kXz1VS

    Score
    10/10
    redlinediscoveryinfostealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral4behavioral5

    • Target

      infected/Setup x64.exe

    • Size

      331.8MB

    • MD5

      4210316bf41a99563cca90927f82244d

    • SHA1

      fe76eba47cb59bbc8a45dd6e856d729e578081da

    • SHA256

      0c7e2b060922788050b2af5250a8ebd462f9d52bdfd6ed6e9cf3a7a80420f12a

    • SHA512

      db43e3f85856c7b7de9fd99526637a3e5fc07ab34b52426538c4fc1aae780db6039c7ef14b50c9cbcd48e9e544250408d71183c9272f3b088e4e4cc21db2f6bb

    • SSDEEP

      196608:Hajex6RtY/8gpeV8gULTfHjZUtuggWAezYpT:hg8gULTfDONgWAezYp

    Score
    10/10
    vidar814discoverystealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Suspicious use of SetThreadContext

    behavioral6behavioral7

    • Target

      infected/best-setup_FLc4rckO.exe

    • Size

      5.0MB

    • MD5

      c528c3d6799af4bf0dfc38e9b549fb75

    • SHA1

      489837e49d9f655f8adbd8a7bd9929fefed3679b

    • SHA256

      ec08d9c7f34da0f45d1c5d6419e4705e18cb75912f7afc6a46c967cc3c1ed603

    • SHA512

      b79c1179dbfda1bc1a1f348c21d37c646ca0641a74938990eb1ad77bd560fd4f4ce466a83898161a7942304b0c6ae65566646ed81e544f17a66abaf283ca6538

    • SSDEEP

      98304:xbUPREbmFZgVTVr38OMVyYow2JsOnPtTvxtWXdqqMU00tBh+0HdSzvCC6vgtuZ:dUPREGyr38HVyY2xljx1XPW7Y7Cd4tuZ

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral8behavioral9

MITRE ATT&CK Enterprise v15

Tasks