General

  • Target

    c1f4204697908a155a89bd2237d4ded480cfa78afbb555b02ae53a1badd9e8f0

  • Size

    3.2MB

  • Sample

    241108-meh47s1bne

  • MD5

    b5e4e3939b9dd07cb9af9b2207d4333f

  • SHA1

    7dcacad5844326620bda2b4156cf673691bda9f5

  • SHA256

    c1f4204697908a155a89bd2237d4ded480cfa78afbb555b02ae53a1badd9e8f0

  • SHA512

    e9d235663963f2dda6a6e9c6081f4a99555bcd7234cd32c45571282d7c8dcc2eb0e8e0ceaf28ef0abf6cfa01dfb11bb52ab8a7e981e6ce1973b1466b8664fd1b

  • SSDEEP

    49152:9TZu5JrF82uv3/A6UcAblqJY7PYi53iPwaDGIM6VjNo47jNeB5kh/EtSB0bSZa4N:9TM5hFm/9aZFEYaDC/uPBASw4DP4I

Malware Config

Extracted

Family

redline

Botnet

leo5

C2

cenyeyalory.xyz:80

kaiaiannial.xyz:80

viasanainah.xyz:80

xtelstasiup.xyz:80

Attributes
  • auth_value

    be820120fdc25e4fee4cd33b669b3e2c

Extracted

Family

vidar

Version

52.1

Botnet

1281

C2

https://t.me/verstappenf1r

https://climatejustice.social/@ronxik312

Attributes
  • profile_id

    1281

Targets

    • Target

      setup/AISetup-Crack.exe

    • Size

      346.0MB

    • MD5

      5caa09b3a7089d4ec3ab263af0041826

    • SHA1

      40bafeae4244b17f5bbd42b1863fe8ba83d6e6f3

    • SHA256

      73487ed92e7cc9a0017dc27784a2a48d5d6ede2d76fb3190ab69cdd402d23ab1

    • SHA512

      a49206f66d08b593f0546436e4a83ecebc21d7a8e0a4809075f4ca72513232063b75b4412cd9ebab00e185979e3914c048936de2a37cffa65531a44b8f0eb8e7

    • SSDEEP

      98304:pO/naJsbWq0YTrHXGy0fMu6c5A7lfvF6s0:IaGqHYTrHWHDA7JF6

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Suspicious use of SetThreadContext

    • Target

      setup/Pre-Activated-Setup.exe

    • Size

      353.8MB

    • MD5

      e49a9126069d2e7c26159b2bdc38e822

    • SHA1

      97a3494ac4065d149a7c7426ce93bd73ab223af4

    • SHA256

      c060daa79346e21d4f577b035b44b0d391bcfc2d20edea54ca3543ea8f568db8

    • SHA512

      f16f0c03932ac35b0705216e1ffdb8aa43d77f721d6d8b4b2352341aee23b96b19c80cc771a02d9eb01a980a25fb6377b64eae59c0903b62f27b2d0514ba45b5

    • SSDEEP

      49152:TvX6WTfpYz2wZEEOva4EwL7XlFuh/NmEJGxwnXCprcMRMfM9uGJ:T/AzbEEwd/V8h/4wMKQB

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks