General
-
Target
784d1f5c2ef013a0523ca0616f62698d.exe
-
Size
2.4MB
-
Sample
210827-rpwn7tbaga
-
MD5
784d1f5c2ef013a0523ca0616f62698d
-
SHA1
e4c76b676705a8ffcecb6fc8a9c2424300c9bd6c
-
SHA256
598d944c8f0ef8d8536487bb9b62ff8fbf6758b37da5132e17fb31e07acddc65
-
SHA512
3d08427e5fa3bf1cc31d0e8b97564c977ae8ea74afb5c3b2d87e36c63213148a85d84cd4a6f4a3d694459a79474f370b9cd131469f6a57e6c6ff6683038d7998
Static task
static1
Behavioral task
behavioral1
Sample
784d1f5c2ef013a0523ca0616f62698d.exe
Resource
win7v20210408
Malware Config
Extracted
vidar
40.1
921
https://eduarroma.tumblr.com/
-
profile_id
921
Targets
-
-
Target
784d1f5c2ef013a0523ca0616f62698d.exe
-
Size
2.4MB
-
MD5
784d1f5c2ef013a0523ca0616f62698d
-
SHA1
e4c76b676705a8ffcecb6fc8a9c2424300c9bd6c
-
SHA256
598d944c8f0ef8d8536487bb9b62ff8fbf6758b37da5132e17fb31e07acddc65
-
SHA512
3d08427e5fa3bf1cc31d0e8b97564c977ae8ea74afb5c3b2d87e36c63213148a85d84cd4a6f4a3d694459a79474f370b9cd131469f6a57e6c6ff6683038d7998
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Vidar Stealer
-
Downloads MZ/PE file
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-