General
-
Target
0a85c9f0d3c0849389e1b2435a4eb1ff089b05cc38c56f41ad185ccfdfcd63b1
-
Size
864KB
-
Sample
211022-tfwj9abgh3
-
MD5
941fec98bfe5d92f1b11cb677afcd6e0
-
SHA1
153a79eeebf8abc8084805918e934967aea8f418
-
SHA256
0a85c9f0d3c0849389e1b2435a4eb1ff089b05cc38c56f41ad185ccfdfcd63b1
-
SHA512
4c47dc3d2667bee02312189089146fbe9b1a8b8013b0a93d1e94c8b581f313c3d822c0999611a4b829be37c629c61c9d1515c08919a4fe48d5bfd038acc776b1
Static task
static1
Behavioral task
behavioral1
Sample
0a85c9f0d3c0849389e1b2435a4eb1ff089b05cc38c56f41ad185ccfdfcd63b1.exe
Resource
win10-en-20211014
Malware Config
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/fhsgtsspen6
Targets
-
-
Target
0a85c9f0d3c0849389e1b2435a4eb1ff089b05cc38c56f41ad185ccfdfcd63b1
-
Size
864KB
-
MD5
941fec98bfe5d92f1b11cb677afcd6e0
-
SHA1
153a79eeebf8abc8084805918e934967aea8f418
-
SHA256
0a85c9f0d3c0849389e1b2435a4eb1ff089b05cc38c56f41ad185ccfdfcd63b1
-
SHA512
4c47dc3d2667bee02312189089146fbe9b1a8b8013b0a93d1e94c8b581f313c3d822c0999611a4b829be37c629c61c9d1515c08919a4fe48d5bfd038acc776b1
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-