General
-
Target
8e90ddd95e4c06e688b83d737590028cbc3c3c7274fd68aea4e5023d2981435f
-
Size
854KB
-
Sample
211023-ljt7laccc6
-
MD5
74e758735158c49cde29710a6e2ff8c7
-
SHA1
928564494e07a416606a4d8c3828c8d2a5d6b84e
-
SHA256
8e90ddd95e4c06e688b83d737590028cbc3c3c7274fd68aea4e5023d2981435f
-
SHA512
5af5526c1affb84c215c9885da861cf6042175e7b88fa5f8f39bb74afd40a14053d455dc500d661d26f4254290eb052880fee80a5b7fd495847910d384704f38
Static task
static1
Behavioral task
behavioral1
Sample
8e90ddd95e4c06e688b83d737590028cbc3c3c7274fd68aea4e5023d2981435f.exe
Resource
win10-en-20210920
Malware Config
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Extracted
djvu
http://rlrz.org/fhsgtsspen6
Targets
-
-
Target
8e90ddd95e4c06e688b83d737590028cbc3c3c7274fd68aea4e5023d2981435f
-
Size
854KB
-
MD5
74e758735158c49cde29710a6e2ff8c7
-
SHA1
928564494e07a416606a4d8c3828c8d2a5d6b84e
-
SHA256
8e90ddd95e4c06e688b83d737590028cbc3c3c7274fd68aea4e5023d2981435f
-
SHA512
5af5526c1affb84c215c9885da861cf6042175e7b88fa5f8f39bb74afd40a14053d455dc500d661d26f4254290eb052880fee80a5b7fd495847910d384704f38
-
Detected Djvu ransomware
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-