General
-
Target
ytSetupEU.bin.zip
-
Size
4.2MB
-
Sample
220212-l4wwxscehq
-
MD5
3f0851e13b0ac6e6e4033647779f81ad
-
SHA1
b77be983da157c2f48ab2351ab28d1d2ba7e08f9
-
SHA256
221cbd514d9ce5faa1a710b79017c67488cd9fd91c1cf7806ebcd47517a874d8
-
SHA512
3baffe7c7fc918ee3d6020991dbe366207aba83da13ecbd09b9a7333c6905b7631d76c3994aeddc51e640674ff8afb392ff40278881d99c25ac32c1364d8998e
Static task
static1
Behavioral task
behavioral1
Sample
ytSetupEU.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ytSetupEU.exe
Resource
win10-en-20211208
Malware Config
Extracted
vidar
10.3
231
http://trasolevelqvines.com/
-
profile_id
231
Targets
-
-
Target
ytSetupEU.exe
-
Size
4.3MB
-
MD5
9d3d0e705b4e4b8b2a694b89802c9f32
-
SHA1
f0ee20b66f07b71c5d29e859adb301e6c0daf5af
-
SHA256
8361e4858ff44de225a4e3bb6c23e739f494af295f7c94e9744af2d6dcf56321
-
SHA512
548a18686a7f1ef4a26e9cc0df6422f94c1e328d13fc7618511e1303eee8d688ddde0048441126b51e6028a434bc86fe90a0487655d7226196be653813ff68f2
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
autoit_exe
AutoIT scripts compiled to PE executables.
-