General
-
Target
888de44182a88d69f5b304acfce7bd6e4478e6552ee45fb9d9038278b3c30b60
-
Size
771KB
-
Sample
210721-2wb8mpwtl2
-
MD5
599af8dde747a4c41a1f70b762ca8b72
-
SHA1
428057643a42360453911ef5dfd95ee86a874e54
-
SHA256
888de44182a88d69f5b304acfce7bd6e4478e6552ee45fb9d9038278b3c30b60
-
SHA512
ef0408065b22ecd8cab231822dbd42719879564fdcca909d177543732247be1810e7d1f98679280081937ae9e166b34b5e31ffaa6c28fca9491d2af4952ffaa7
Static task
static1
Malware Config
Extracted
vidar
39.6
517
https://sslamlssa1.tumblr.com/
-
profile_id
517
Targets
-
-
Target
888de44182a88d69f5b304acfce7bd6e4478e6552ee45fb9d9038278b3c30b60
-
Size
771KB
-
MD5
599af8dde747a4c41a1f70b762ca8b72
-
SHA1
428057643a42360453911ef5dfd95ee86a874e54
-
SHA256
888de44182a88d69f5b304acfce7bd6e4478e6552ee45fb9d9038278b3c30b60
-
SHA512
ef0408065b22ecd8cab231822dbd42719879564fdcca909d177543732247be1810e7d1f98679280081937ae9e166b34b5e31ffaa6c28fca9491d2af4952ffaa7
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-