General
-
Target
410cca3a97537d37ab63c36ed155f11683e791f3a1ed2419e3d17d9f433f1650
-
Size
758KB
-
Sample
210728-ykrg4yerm2
-
MD5
a36609804058f5d47c6401fdcfacb6a2
-
SHA1
6fe99f6f73dc47d0e6752b4a585e6615ecbd7677
-
SHA256
410cca3a97537d37ab63c36ed155f11683e791f3a1ed2419e3d17d9f433f1650
-
SHA512
1eee6c62ccdc5cdbe6825d8214ead6ba212e9e8a158abe7a64c762e37e247b60e6e1d0b1918b10341bed52615bef93c61a1b628465f8bf71d641947be3641a56
Static task
static1
Malware Config
Extracted
vidar
39.7
517
https://shpak125.tumblr.com/
-
profile_id
517
Targets
-
-
Target
410cca3a97537d37ab63c36ed155f11683e791f3a1ed2419e3d17d9f433f1650
-
Size
758KB
-
MD5
a36609804058f5d47c6401fdcfacb6a2
-
SHA1
6fe99f6f73dc47d0e6752b4a585e6615ecbd7677
-
SHA256
410cca3a97537d37ab63c36ed155f11683e791f3a1ed2419e3d17d9f433f1650
-
SHA512
1eee6c62ccdc5cdbe6825d8214ead6ba212e9e8a158abe7a64c762e37e247b60e6e1d0b1918b10341bed52615bef93c61a1b628465f8bf71d641947be3641a56
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-