General
-
Target
570fbe91fdd6d1eb8cfd2f03c032cdde.exe
-
Size
872KB
-
Sample
210603-5fgyg6535j
-
MD5
570fbe91fdd6d1eb8cfd2f03c032cdde
-
SHA1
59d07617c682fed330d82b1d97f1bf32c30c6ff1
-
SHA256
b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61
-
SHA512
e0cd9f67e26140b22dbcee760b0690e5dd2bb0242091d3c759c123789c6b2bb8abbf1c2a80d6b4e1b00f9097f4f782ba2035041c92afc2280dd75a9dc21f7fb6
Malware Config
Extracted
vidar
39.2
517
https://dimashub.tumblr.com
-
profile_id
517
Targets
-
-
Target
570fbe91fdd6d1eb8cfd2f03c032cdde.exe
-
Size
872KB
-
MD5
570fbe91fdd6d1eb8cfd2f03c032cdde
-
SHA1
59d07617c682fed330d82b1d97f1bf32c30c6ff1
-
SHA256
b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61
-
SHA512
e0cd9f67e26140b22dbcee760b0690e5dd2bb0242091d3c759c123789c6b2bb8abbf1c2a80d6b4e1b00f9097f4f782ba2035041c92afc2280dd75a9dc21f7fb6
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-