General
-
Target
021c5ebba74185aba708b9ed701ae7a856905615abbcd9b884345b5a75c0b9ab
-
Size
864KB
-
Sample
211022-pdj18abfb4
-
MD5
996fbd01a51b9b1efaf7f21f3ed80144
-
SHA1
e03017ef514684fa5d4cb58e8649c95aa85859b8
-
SHA256
021c5ebba74185aba708b9ed701ae7a856905615abbcd9b884345b5a75c0b9ab
-
SHA512
a33f4f57d712ab5d86ec8b8177c57be0ea20e35900c9826b8bf5583cbb829fed810d25b06a2b149dd0912d7b8cba55b44e932f38f0291353871012b624545057
Static task
static1
Behavioral task
behavioral1
Sample
021c5ebba74185aba708b9ed701ae7a856905615abbcd9b884345b5a75c0b9ab.exe
Resource
win10-en-20211014
Malware Config
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/fhsgtsspen6
Targets
-
-
Target
021c5ebba74185aba708b9ed701ae7a856905615abbcd9b884345b5a75c0b9ab
-
Size
864KB
-
MD5
996fbd01a51b9b1efaf7f21f3ed80144
-
SHA1
e03017ef514684fa5d4cb58e8649c95aa85859b8
-
SHA256
021c5ebba74185aba708b9ed701ae7a856905615abbcd9b884345b5a75c0b9ab
-
SHA512
a33f4f57d712ab5d86ec8b8177c57be0ea20e35900c9826b8bf5583cbb829fed810d25b06a2b149dd0912d7b8cba55b44e932f38f0291353871012b624545057
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-