General
-
Target
bd313f9102739a231c214b4fe4f6c3a3.exe
-
Size
233KB
-
Sample
211020-g4xe8sgfc8
-
MD5
bd313f9102739a231c214b4fe4f6c3a3
-
SHA1
728aea2174af79ab9e03cc3d31ec069d5ceb513c
-
SHA256
c95d04ae659ff27da971c970ec072ffbec37551120fe8c395d5455fba4139d0d
-
SHA512
a5074f21dc6cf3575facb4817d31165606eb0bc539477cc67ab8af1f165b38c8925c796d68a5ce8a21754d54b313afe75a74d7a5f33ac5012c194914f4c4036e
Static task
static1
Behavioral task
behavioral1
Sample
bd313f9102739a231c214b4fe4f6c3a3.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
bd313f9102739a231c214b4fe4f6c3a3.exe
Resource
win10-en-20210920
Malware Config
Extracted
smokeloader
2020
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
Extracted
vidar
41.5
706
https://mas.to/@xeroxxx
-
profile_id
706
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/lancer
Targets
-
-
Target
bd313f9102739a231c214b4fe4f6c3a3.exe
-
Size
233KB
-
MD5
bd313f9102739a231c214b4fe4f6c3a3
-
SHA1
728aea2174af79ab9e03cc3d31ec069d5ceb513c
-
SHA256
c95d04ae659ff27da971c970ec072ffbec37551120fe8c395d5455fba4139d0d
-
SHA512
a5074f21dc6cf3575facb4817d31165606eb0bc539477cc67ab8af1f165b38c8925c796d68a5ce8a21754d54b313afe75a74d7a5f33ac5012c194914f4c4036e
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-