General
-
Target
ee125afc9934a207d864e7af8339c7add9891e49f306a4fa7e216ae3f8ed8d66
-
Size
762KB
-
Sample
211014-ht5jjagch9
-
MD5
1d981bdf2dfa80c62f3ef723e65ceb6d
-
SHA1
69722ec3b35b94a1204de68ad55a542b39b07988
-
SHA256
ee125afc9934a207d864e7af8339c7add9891e49f306a4fa7e216ae3f8ed8d66
-
SHA512
231ad9ba88a9c18178f5d2c496a3e097ebd51148f6df2225c9fb53735d954b7eb89e7b1b04a39cffef09f36e66f5169372310e3fc9d7a089a61c7e2a0905b0c1
Static task
static1
Behavioral task
behavioral1
Sample
ee125afc9934a207d864e7af8339c7add9891e49f306a4fa7e216ae3f8ed8d66.exe
Resource
win10v20210408
Malware Config
Extracted
vidar
41.3
517
https://mas.to/@oleg98
-
profile_id
517
Extracted
djvu
http://rlrz.org/fhsgtsspen6
Targets
-
-
Target
ee125afc9934a207d864e7af8339c7add9891e49f306a4fa7e216ae3f8ed8d66
-
Size
762KB
-
MD5
1d981bdf2dfa80c62f3ef723e65ceb6d
-
SHA1
69722ec3b35b94a1204de68ad55a542b39b07988
-
SHA256
ee125afc9934a207d864e7af8339c7add9891e49f306a4fa7e216ae3f8ed8d66
-
SHA512
231ad9ba88a9c18178f5d2c496a3e097ebd51148f6df2225c9fb53735d954b7eb89e7b1b04a39cffef09f36e66f5169372310e3fc9d7a089a61c7e2a0905b0c1
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-