General
-
Target
ac949874daaa7008edec3c2896378a2bf8cab73f08977afb831e671387f8d8cf
-
Size
717KB
-
Sample
210722-9sxffb27wj
-
MD5
7bf390e96dac855e726727ee7ee645c5
-
SHA1
a6b452e78052ac0172fe6e6f05cc8a9c56f57977
-
SHA256
ac949874daaa7008edec3c2896378a2bf8cab73f08977afb831e671387f8d8cf
-
SHA512
fef35e19226e2fa68084e6b3a35acd74a04a3d3e14963cf7c622da6c85a5c3d7683e0a8b4fe1816513682b6a303d4d527e87a96d52d7604882541ae8738cf66e
Static task
static1
Malware Config
Extracted
vidar
39.6
517
https://sslamlssa1.tumblr.com/
-
profile_id
517
Targets
-
-
Target
ac949874daaa7008edec3c2896378a2bf8cab73f08977afb831e671387f8d8cf
-
Size
717KB
-
MD5
7bf390e96dac855e726727ee7ee645c5
-
SHA1
a6b452e78052ac0172fe6e6f05cc8a9c56f57977
-
SHA256
ac949874daaa7008edec3c2896378a2bf8cab73f08977afb831e671387f8d8cf
-
SHA512
fef35e19226e2fa68084e6b3a35acd74a04a3d3e14963cf7c622da6c85a5c3d7683e0a8b4fe1816513682b6a303d4d527e87a96d52d7604882541ae8738cf66e
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-