General
-
Target
e3842478160c7baf3ba6f1b5531751f96c4d2391577aad4e0c2b98eeb4625890
-
Size
856KB
-
Sample
211020-sq8rwshbh6
-
MD5
da8ecb75c808af77a39958cc19ccb15d
-
SHA1
2a89e82410d3402f75b17d6283b398f97aa4a83e
-
SHA256
e3842478160c7baf3ba6f1b5531751f96c4d2391577aad4e0c2b98eeb4625890
-
SHA512
ac8f33bdb11e3c7906b3573bc4764977584b55e67d5c6a2b51c53e952c562706708551f5a3206fb1e295819952e5d1c4d15d397487372bd706ffac7c3e2b16c2
Static task
static1
Behavioral task
behavioral1
Sample
e3842478160c7baf3ba6f1b5531751f96c4d2391577aad4e0c2b98eeb4625890.exe
Resource
win10-en-20210920
Malware Config
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/fhsgtsspen6
Targets
-
-
Target
e3842478160c7baf3ba6f1b5531751f96c4d2391577aad4e0c2b98eeb4625890
-
Size
856KB
-
MD5
da8ecb75c808af77a39958cc19ccb15d
-
SHA1
2a89e82410d3402f75b17d6283b398f97aa4a83e
-
SHA256
e3842478160c7baf3ba6f1b5531751f96c4d2391577aad4e0c2b98eeb4625890
-
SHA512
ac8f33bdb11e3c7906b3573bc4764977584b55e67d5c6a2b51c53e952c562706708551f5a3206fb1e295819952e5d1c4d15d397487372bd706ffac7c3e2b16c2
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-