General
-
Target
PASSWORD_IS_951951____IDM-Crack-640-B.zip
-
Size
6.6MB
-
Sample
211229-17r5gadhcm
-
MD5
c23223b2b71e56cba02b46ef671dfe57
-
SHA1
f7e784851ce8fd68824130b4ffffde52818da0e2
-
SHA256
d5ebec14b91d850a2ceda26e7f3a2a7dff41e51f9860292d7c0c7cd40c1c5b6f
-
SHA512
3cc72e524bcbc2fdd22e4e9a1e22016f15f62b2a461f1eedbbf1769fed6aae56b512639540cb31a40d32fad588ecc222d98114b264275a80a3bcf730b3f661b2
Static task
static1
Behavioral task
behavioral1
Sample
setup_installx86-x64.exe
Resource
win7-en-20211208
Malware Config
Extracted
socelars
http://www.chosenncrowned.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Targets
-
-
Target
setup_installx86-x64.exe
-
Size
6.6MB
-
MD5
cc9292fa6cb95cbafcd7a92ed3bdb1d8
-
SHA1
4c3bb1e02ea8285dcd10b65f940127a05bc93b5e
-
SHA256
8c610296c11b79b528ef5533a9046cef7484bec4552fcb7c56d0b9365f1a4131
-
SHA512
197af0ffb032d1de7ba5e7d5e85d1c502cfaa13a8debfe985414d840f71a3c1aea84de2dcc5aa9cb03d6bcc69b321efdfeaaceae24e932f6ddd0b72cd4e823cf
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Vidar Stealer
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-