Overview

overview

10

Static

static

3

ba66c7a46a...96.exe

windows7-x64

10

ba66c7a46a...96.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    82d820788a5fd1a203b8c45f880ab1368257c818

  • Size

    817KB

  • Sample

    241109-wjahassjhk

  • MD5

    b62b613ae3fe7036fa43bc29ae47e543

  • SHA1

    82d820788a5fd1a203b8c45f880ab1368257c818

  • SHA256

    6228a057bf70d95e0f6cd3a5639d02e4155c84f7da9fd29bf879e3473d37d86d

  • SHA512

    3f291f9e42efec5976c689c6c94cd321bd4b621a6f8694f56fa2a4f0bdd663397b0f19552cb9f5376d8a46f130c378109e5c078d10fd80cc53f3de0987992a3b

  • SSDEEP

    24576:gIr/UNpB27Yqh/QD/mo59Urj49QR88coW0NRAIT:TcNpB27Yq+maUrj4mrnW0NOIT

Score
10/10
raccoonredlinevidar4507635788776426c3f362f5a47a469f0e9d8bc3eef@tag12312341afb5c633c4650f69312baef49db9dfa4nam3discoveryinfostealerstealer

Malware Config

Extracted

Family

vidar

C2

http://146.19.247.187:80

http://45.159.248.53:80

http://62.204.41.126:80

https://t.me/albaniaestates

https://c.im/@banza4ker

Extracted

Family

redline

Botnet

4

C2

31.41.244.134:11643

Attributes
  • auth_value

    a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

C2

62.204.41.144:14096

Attributes
  • auth_value

    71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

5076357887

C2

195.54.170.157:16525

Attributes
  • auth_value

    0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:34589

Attributes
  • auth_value

    64b900120bbceaa6a9c60e9079492895

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

C2

http://193.56.146.177

Attributes
  • user_agent

    mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

C2

http://45.95.11.158/

Attributes
  • user_agent

    mozzzzzzzzzzz

xor.plain

Targets

    • Target

      ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396

    • Size

      902KB

    • MD5

      e6ae2071837c90e79a7f4c6e8e778f0f

    • SHA1

      b340afd00d6feb4da15b9b10446417e51d3f7082

    • SHA256

      ba66c7a46a35c1b38aa76a199ae19a65674786771b153e0fadc62fcd28367396

    • SHA512

      6e1662cc172d0001fb2de054eaff5dc8c9ba041cbec00a42d8311c92958e1b4690454262106ac26d0eed85863e2142dc5d4161a98c7cbabbcb6b083e7d02b59c

    • SSDEEP

      24576:pAT8QE+kEVNpJc7Y/sDZ0239GhjS9knREHXsW02E7zS:pAI+/NpJc7Y60EGhjSmE3sW02E7zS

    Score
    10/10
    raccoonredlinevidar4507635788776426c3f362f5a47a469f0e9d8bc3eef@tag12312341afb5c633c4650f69312baef49db9dfa4nam3discoveryinfostealerstealer

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon family

      raccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks