General
-
Target
2ed6f719782409ee53949c76c4eb116fdd6224f81461bdb8fdf9d7fa4336b752
-
Size
803KB
-
Sample
211022-a6z6ksbab5
-
MD5
cf2467247db1a11528b9a039efb97467
-
SHA1
2542c4d56fcfb52722c9ac97924b13307f0c6ee6
-
SHA256
2ed6f719782409ee53949c76c4eb116fdd6224f81461bdb8fdf9d7fa4336b752
-
SHA512
90104b93603c78903a08564e841f0ca27ee1a710351cc96cc480ecd4489ecab758b784fb932393a3d453aa8208d3799f5f435e4227668f0cbdc7db15d364cf68
Static task
static1
Behavioral task
behavioral1
Sample
2ed6f719782409ee53949c76c4eb116fdd6224f81461bdb8fdf9d7fa4336b752.exe
Resource
win10-en-20211014
Malware Config
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/lancer
Targets
-
-
Target
2ed6f719782409ee53949c76c4eb116fdd6224f81461bdb8fdf9d7fa4336b752
-
Size
803KB
-
MD5
cf2467247db1a11528b9a039efb97467
-
SHA1
2542c4d56fcfb52722c9ac97924b13307f0c6ee6
-
SHA256
2ed6f719782409ee53949c76c4eb116fdd6224f81461bdb8fdf9d7fa4336b752
-
SHA512
90104b93603c78903a08564e841f0ca27ee1a710351cc96cc480ecd4489ecab758b784fb932393a3d453aa8208d3799f5f435e4227668f0cbdc7db15d364cf68
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-