General
-
Target
12f95f258ef35c561e1c847e813f2308ee2e0b25d4150c6b9ae73aa5f8498a6a
-
Size
725KB
-
Sample
210915-jwz79sabd7
-
MD5
3c0f843723eb5738c73e03b656664447
-
SHA1
6ce769d175a7192e7120593eaf8900d78622464a
-
SHA256
12f95f258ef35c561e1c847e813f2308ee2e0b25d4150c6b9ae73aa5f8498a6a
-
SHA512
d0623d7c28652b8607fcf9d581c667225429a6d2c4999acc1223d2dce90645f5765b748ae0dcc674509f93a15b21b481c357933b4ff7183c17c0aaa73c3a9dbb
Static task
static1
Behavioral task
behavioral1
Sample
12f95f258ef35c561e1c847e813f2308ee2e0b25d4150c6b9ae73aa5f8498a6a.exe
Resource
win10v20210408
Malware Config
Extracted
vidar
40.6
517
https://dimonbk83.tumblr.com/
-
profile_id
517
Targets
-
-
Target
12f95f258ef35c561e1c847e813f2308ee2e0b25d4150c6b9ae73aa5f8498a6a
-
Size
725KB
-
MD5
3c0f843723eb5738c73e03b656664447
-
SHA1
6ce769d175a7192e7120593eaf8900d78622464a
-
SHA256
12f95f258ef35c561e1c847e813f2308ee2e0b25d4150c6b9ae73aa5f8498a6a
-
SHA512
d0623d7c28652b8607fcf9d581c667225429a6d2c4999acc1223d2dce90645f5765b748ae0dcc674509f93a15b21b481c357933b4ff7183c17c0aaa73c3a9dbb
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-