General

  • Target

    5031f42bb5fc965f36d16c261032db382e9746ecbd58cda03fa40ef286738a74

  • Size

    11.3MB

  • Sample

    241108-kvm2zszcja

  • MD5

    3e54734beeaab8a1fde7ae62163ef97f

  • SHA1

    0d7de22c9534ff452cf0104a484df9c3718de10f

  • SHA256

    5031f42bb5fc965f36d16c261032db382e9746ecbd58cda03fa40ef286738a74

  • SHA512

    0bd34c8af6917bb636d67520ded3539f189fd7c652be7de5e194fb164cbba9fd39a7096521f6f946e5189fa94940fc08c01a2237d9088d588e72712255fa3998

  • SSDEEP

    196608:bD3EqO0VD50ms/HF/y/LUtvUIXQWSbANfzDn3KeEDH1FtMKny/9opxM9yIm:PXJ5VsPF0LIvKTURf3KeED3Qmi1m

Malware Config

Extracted

Family

redline

C2

82.115.223.46:57672

176.113.115.7:2883

168.119.228.126:11552

Attributes
  • auth_value

    65fba98f55adb38b082f2f52949a5552

Extracted

Family

vidar

Version

1.8

Botnet

670

C2

https://t.me/year2023start

https://steamcommunity.com/profiles/76561199467421923

http://65.108.93.119:80

Attributes
  • profile_id

    670

Extracted

Family

redline

Botnet

@foruman

C2

82.115.223.138:35316

Attributes
  • auth_value

    07b91b1fbc2cf38591e4b4015a53bf5c

Extracted

Family

redline

Botnet

0116

C2

81.161.229.143:26910

Attributes
  • auth_value

    35f84f965c2ecd5ec79c6b3e71986b0d

Targets

    • Target

      FORTNITECHEAT.exe

    • Size

      236KB

    • MD5

      205a1f643c7f26603dc645b515a8900d

    • SHA1

      0b7ffb1768dbfc50f1976c1088786d51fa6ec39f

    • SHA256

      2e68d477438ee0ed7b4d44635867a3fbee80d63436e5c780eb3d5ec554b0e713

    • SHA512

      d4a432d1959268ea9cbd345aa1da8f0c3e3de8c559df02fe4e5eb1d5b5ff94ecf1edb56cff4ad6e6e89253967f567b194d255b9000c7e58c4780878dccddee52

    • SSDEEP

      3072:YWsC/69uHTRv/pUXxtHchIb2SyEz6itegZP7iyi1pkOiK6JPytw:KC/69cV/pYxxck2OHFQpkOTQ

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Suspicious use of SetThreadContext

    • Target

      Installer2.exe

    • Size

      425KB

    • MD5

      40dc8f4a6bfb79a50691143b66fa2ff3

    • SHA1

      5f051dfe0134e4a1002dda56670f7d1cde6c5bdf

    • SHA256

      9190fb6dc4fe6f169c44804424dcfd418a373a0200aa4618c2ea0005a197e91c

    • SHA512

      db2ac9c43e931fa235f79904dcd02d4ef8c25109638a4a7601dc5ecac480c99761925d9105ff0b96e909230dd1d25d48859d409333fa7dbf7b6db4b038320549

    • SSDEEP

      12288:WOkKE07y8D09eRqFSZdg19n9Q9l9h9K9W9v9919z9b9u9U9f9e9b98989l9R9d9G:sky8OWqFSI19n9Q9l9h9K9W9v9919z93

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      Zeus.exe

    • Size

      515.0MB

    • MD5

      bb740560995911865bf11afaa73582a3

    • SHA1

      b0503aec0a704e8352f3a343c48e8f652e2a4713

    • SHA256

      643952a1c34cc68716a42cc78bc1f4684e14cd30706de64df46d9d4c928045ea

    • SHA512

      c97c8702fb820d95a0cbecccc17b4a759956b89305535f3bb45952700732e69fac8c38cf6be6f1041844745734a30a6fbe28b93639d291f93d0dbb202941cda6

    • SSDEEP

      24576:5IkpALgZ27qdFQxRYivpsR6zD3UGveZCIrB/1e3UC6zEjmTz7r4ygjzJwlywteLG:PpAXFOPZEjmfPmF8UCLVlUIY0

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Suspicious use of SetThreadContext

    • Target

      installer.exe

    • Size

      1.3MB

    • MD5

      4ca8d5fd296026e9594929feea52990e

    • SHA1

      3d70526e7f8bbd05e64b6e195ad9cd6644fc65c3

    • SHA256

      fc09addb668c15983de03593dd8f182261f3957c3dc02fbf2653820858810fa9

    • SHA512

      15180308f09e989efb174cc022ad54078f6e66872c96e1027f8f36fcd37cb5b596a566b66e1935d853fc54fade05ba4179e81218c3b7952953677a7378a82712

    • SSDEEP

      24576:odGlKVNT2CqjiK7VhmD2beSmNPiQ4SEqxgHY:o8lCkFz/O27mNKToxN

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      lnjector.exe

    • Size

      500.5MB

    • MD5

      56cb97e07b3367190cea9bb199bc152e

    • SHA1

      cf8e2cb67cfd695ce46126a086ad970818330cda

    • SHA256

      01af0abb5a482d088222df1a4b4035ef86f643bc2537b161227bab8715dea6bb

    • SHA512

      0cf64f84e628e035b284a91fae51708cf25b78a075692df26211c74f2379fe72612bba98310bd540967ba79f570ae93c44b48505c5a324d05257c61829c7e042

    • SSDEEP

      12288:DoqTPMr/tw5cy8TOtn2C7LwUDEzM54tESMCgL:DoqTUr/tw5cy2C77+aZ5

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      setup.exe

    • Size

      6.5MB

    • MD5

      e8e5283ad4683f8dcc018d5769e473dd

    • SHA1

      d5c41f15a6fc28050e02bff6c3ab357fa0f99642

    • SHA256

      b885e915e529bb54f5d219617b77c6369300cf72a50348a37083d21f3a8345e6

    • SHA512

      8f8732c076a76abeb3ccc49215d7c201eea584bc8060df2f38cec3682bb6fbe976934ab73ba33d32e7d1e45dae271acf0fd8716c0847cab3bf930376e8f2173d

    • SSDEEP

      98304:rcLWt2jT+gKF5ENbYMyKFUB47Kh1Fpn50pOFXc2g/uu6J7Hr1x9ucbu8:wb3+XONbg0zIv5o2Xc2g/u9JHr1ycz

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks