General
-
Target
930d8bf8f40ff671a297a043159b9490fc8c101ca56dbc3d1ff6e693deed5c2d
-
Size
827KB
-
Sample
211019-3pcyyagdg3
-
MD5
8f0d1fa6089f163e683ade1a50c9b1cf
-
SHA1
d3798a21bbde352163a06844c52433a254066dd8
-
SHA256
930d8bf8f40ff671a297a043159b9490fc8c101ca56dbc3d1ff6e693deed5c2d
-
SHA512
fea5cae1d8d8957adc5f7ee0625be960d7055b64d025919d8c2b18744a59ca6ca823beda24841d702cfe45112fc099f1f4102fe0e0bc4103c60887ec307fe02b
Static task
static1
Behavioral task
behavioral1
Sample
930d8bf8f40ff671a297a043159b9490fc8c101ca56dbc3d1ff6e693deed5c2d.exe
Resource
win10-en-20211014
Malware Config
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/fhsgtsspen6
Targets
-
-
Target
930d8bf8f40ff671a297a043159b9490fc8c101ca56dbc3d1ff6e693deed5c2d
-
Size
827KB
-
MD5
8f0d1fa6089f163e683ade1a50c9b1cf
-
SHA1
d3798a21bbde352163a06844c52433a254066dd8
-
SHA256
930d8bf8f40ff671a297a043159b9490fc8c101ca56dbc3d1ff6e693deed5c2d
-
SHA512
fea5cae1d8d8957adc5f7ee0625be960d7055b64d025919d8c2b18744a59ca6ca823beda24841d702cfe45112fc099f1f4102fe0e0bc4103c60887ec307fe02b
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-