General
-
Target
dc32222354d27193fb7add2b8073bdfd9b4c1b87f38b035d5477179f251909a9
-
Size
803KB
-
Sample
211022-clsbcabad8
-
MD5
a17476678fc2b067a9c40811e7f9238d
-
SHA1
50eb883d0d8107b4d9cebe3ee553b81e121ca1ec
-
SHA256
dc32222354d27193fb7add2b8073bdfd9b4c1b87f38b035d5477179f251909a9
-
SHA512
df1c97223502322932ae2a9d47789b1adf25dc14e4c772c576b9c59c45d3d6fd30fe7a07fcac7b4968a55014ed23edc3f3f2b47b08142c95a0b63ef8278be48b
Static task
static1
Behavioral task
behavioral1
Sample
dc32222354d27193fb7add2b8073bdfd9b4c1b87f38b035d5477179f251909a9.exe
Resource
win10-en-20211014
Malware Config
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/fhsgtsspen6
Targets
-
-
Target
dc32222354d27193fb7add2b8073bdfd9b4c1b87f38b035d5477179f251909a9
-
Size
803KB
-
MD5
a17476678fc2b067a9c40811e7f9238d
-
SHA1
50eb883d0d8107b4d9cebe3ee553b81e121ca1ec
-
SHA256
dc32222354d27193fb7add2b8073bdfd9b4c1b87f38b035d5477179f251909a9
-
SHA512
df1c97223502322932ae2a9d47789b1adf25dc14e4c772c576b9c59c45d3d6fd30fe7a07fcac7b4968a55014ed23edc3f3f2b47b08142c95a0b63ef8278be48b
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-