General
-
Target
95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f
-
Size
172KB
-
Sample
211103-wve7xsbeer
-
MD5
4ea672ca05b3c1e7d131ecc108c7e7f1
-
SHA1
e816730b9fc1cef43ae269452fbd60dc7a178c3a
-
SHA256
95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f
-
SHA512
0c67d0901554de3a0d6409da8d1eea4350732be77366d58f8cfdec20d7fd3fe216674731839649fc7b6e612ef01665ca46b6a2cb4143b74e3fb23b7e92dd9549
Static task
static1
Malware Config
Extracted
vidar
47.8
865
https://mas.to/@romashkin
-
profile_id
865
Targets
-
-
Target
95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f
-
Size
172KB
-
MD5
4ea672ca05b3c1e7d131ecc108c7e7f1
-
SHA1
e816730b9fc1cef43ae269452fbd60dc7a178c3a
-
SHA256
95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f
-
SHA512
0c67d0901554de3a0d6409da8d1eea4350732be77366d58f8cfdec20d7fd3fe216674731839649fc7b6e612ef01665ca46b6a2cb4143b74e3fb23b7e92dd9549
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-