General
-
Target
4a69df31f72c75b6ddbe32a5d0959d5e6dffa59dbda8e2a395e32134e7682c27
-
Size
826KB
-
Sample
211020-cz5htshear
-
MD5
b0ca5c62c8c05933955dfac31e3a8a20
-
SHA1
86ebd81ba2baed40d0c9e01adba4da10f8003285
-
SHA256
4a69df31f72c75b6ddbe32a5d0959d5e6dffa59dbda8e2a395e32134e7682c27
-
SHA512
7da76d7fc75fa67c299de7c42382823a16b5aea93ab9cfd4c5b6b10053c864b456ba10a5f261183c5437cac35fe6feb6aac0d53fb783c9fcbf166bb8f15fe9ff
Static task
static1
Behavioral task
behavioral1
Sample
4a69df31f72c75b6ddbe32a5d0959d5e6dffa59dbda8e2a395e32134e7682c27.exe
Resource
win10-en-20210920
Malware Config
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/fhsgtsspen6
Targets
-
-
Target
4a69df31f72c75b6ddbe32a5d0959d5e6dffa59dbda8e2a395e32134e7682c27
-
Size
826KB
-
MD5
b0ca5c62c8c05933955dfac31e3a8a20
-
SHA1
86ebd81ba2baed40d0c9e01adba4da10f8003285
-
SHA256
4a69df31f72c75b6ddbe32a5d0959d5e6dffa59dbda8e2a395e32134e7682c27
-
SHA512
7da76d7fc75fa67c299de7c42382823a16b5aea93ab9cfd4c5b6b10053c864b456ba10a5f261183c5437cac35fe6feb6aac0d53fb783c9fcbf166bb8f15fe9ff
-
Detected Djvu ransomware
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-