General
-
Target
ed240beca8abf8524ba3f89cd62485a7fd512dd576ddd2c9488491d6126e5556
-
Size
854KB
-
Sample
211023-g3s2escbc6
-
MD5
2d68e7cca03d81a726559456c8dde4e0
-
SHA1
21bbe842fca7bc7168cbf196b8f607a064519a32
-
SHA256
ed240beca8abf8524ba3f89cd62485a7fd512dd576ddd2c9488491d6126e5556
-
SHA512
050452d443b6769fa4c6ed56596e3f54af956e6f14d440c90bfdc2f14ee8023b5a5b433730bfbd2017fd872b613548bcae5e882c78ae3045c24c5a34015b86ac
Static task
static1
Behavioral task
behavioral1
Sample
ed240beca8abf8524ba3f89cd62485a7fd512dd576ddd2c9488491d6126e5556.exe
Resource
win10-en-20211014
Malware Config
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/lancer
Targets
-
-
Target
ed240beca8abf8524ba3f89cd62485a7fd512dd576ddd2c9488491d6126e5556
-
Size
854KB
-
MD5
2d68e7cca03d81a726559456c8dde4e0
-
SHA1
21bbe842fca7bc7168cbf196b8f607a064519a32
-
SHA256
ed240beca8abf8524ba3f89cd62485a7fd512dd576ddd2c9488491d6126e5556
-
SHA512
050452d443b6769fa4c6ed56596e3f54af956e6f14d440c90bfdc2f14ee8023b5a5b433730bfbd2017fd872b613548bcae5e882c78ae3045c24c5a34015b86ac
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-