General
-
Target
92b1cc02d037151eecedb276cee54e94ffcb6fb748d0c8a86c8f10522fef9fb5
-
Size
727KB
-
Sample
211015-2fr6tsbeg7
-
MD5
687ce85a38cc8ca331e63a87a3c5cb9e
-
SHA1
70da69b8fe9adbafbbccd38da2e71dd7121e9108
-
SHA256
92b1cc02d037151eecedb276cee54e94ffcb6fb748d0c8a86c8f10522fef9fb5
-
SHA512
92808823a009e5599d742d0fb522c3db732e35d05fb3a287871a43bbebed8284aa2a60ef574c46a65b0af67a662dea2d7c772a5d0890876336b773b95dbd9cdc
Malware Config
Extracted
vidar
41.4
1008
https://mas.to/@sslam
-
profile_id
1008
Targets
-
-
Target
92b1cc02d037151eecedb276cee54e94ffcb6fb748d0c8a86c8f10522fef9fb5
-
Size
727KB
-
MD5
687ce85a38cc8ca331e63a87a3c5cb9e
-
SHA1
70da69b8fe9adbafbbccd38da2e71dd7121e9108
-
SHA256
92b1cc02d037151eecedb276cee54e94ffcb6fb748d0c8a86c8f10522fef9fb5
-
SHA512
92808823a009e5599d742d0fb522c3db732e35d05fb3a287871a43bbebed8284aa2a60ef574c46a65b0af67a662dea2d7c772a5d0890876336b773b95dbd9cdc
Score10/10-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies RDP port number used by Windows
-
Sets DLL path for service in the registry
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-