General
-
Target
56f41adb2d1e815904c55e35a03f080ada43f9d86b940af68d3b51d280a52960
-
Size
864KB
-
Sample
211022-t6nmbsbha8
-
MD5
fe84af5503ddbc9531a364601db5f312
-
SHA1
c3107b36450fa8e65256f8df5aaf7def33ad1884
-
SHA256
56f41adb2d1e815904c55e35a03f080ada43f9d86b940af68d3b51d280a52960
-
SHA512
4e4eb5efec558992f1505d77889cbef31bd3dd6db971a06194407195a486c82620d3503373d4a27e8a4adc53dc0ddc2d916ea052682a37b64114db11783b7e27
Static task
static1
Behavioral task
behavioral1
Sample
56f41adb2d1e815904c55e35a03f080ada43f9d86b940af68d3b51d280a52960.exe
Resource
win10-en-20210920
Malware Config
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/lancer
Targets
-
-
Target
56f41adb2d1e815904c55e35a03f080ada43f9d86b940af68d3b51d280a52960
-
Size
864KB
-
MD5
fe84af5503ddbc9531a364601db5f312
-
SHA1
c3107b36450fa8e65256f8df5aaf7def33ad1884
-
SHA256
56f41adb2d1e815904c55e35a03f080ada43f9d86b940af68d3b51d280a52960
-
SHA512
4e4eb5efec558992f1505d77889cbef31bd3dd6db971a06194407195a486c82620d3503373d4a27e8a4adc53dc0ddc2d916ea052682a37b64114db11783b7e27
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-