General
-
Target
44bcd2fec39f93c4968df77703a28eb4ab000e8fc9ea0f5d0e0c17e0c3b5e9bb
-
Size
770KB
-
Sample
210721-w1h1n859bj
-
MD5
ce324913d753bb835c2caaeaf4cd39dc
-
SHA1
7f29f8eaaebc3da820004ec81aa1223e67087698
-
SHA256
44bcd2fec39f93c4968df77703a28eb4ab000e8fc9ea0f5d0e0c17e0c3b5e9bb
-
SHA512
e2311ab499cb66b9b31431b0eb0c87d3bfc955a043d0c250ff38a7df2693d589b74a36f8910d88e4a706ec6716346a0c021e28280ae807cf2d5606453a430e24
Static task
static1
Malware Config
Extracted
vidar
39.6
517
https://sslamlssa1.tumblr.com/
-
profile_id
517
Targets
-
-
Target
44bcd2fec39f93c4968df77703a28eb4ab000e8fc9ea0f5d0e0c17e0c3b5e9bb
-
Size
770KB
-
MD5
ce324913d753bb835c2caaeaf4cd39dc
-
SHA1
7f29f8eaaebc3da820004ec81aa1223e67087698
-
SHA256
44bcd2fec39f93c4968df77703a28eb4ab000e8fc9ea0f5d0e0c17e0c3b5e9bb
-
SHA512
e2311ab499cb66b9b31431b0eb0c87d3bfc955a043d0c250ff38a7df2693d589b74a36f8910d88e4a706ec6716346a0c021e28280ae807cf2d5606453a430e24
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-