General
-
Target
euthree_20220223-152100
-
Size
715KB
-
Sample
220223-tjsmrscaem
-
MD5
e85b53cfc10a864ca485bde23806012f
-
SHA1
398452a5bdfddf79138190ca0fcfa43a79e536fc
-
SHA256
b54b7ff373d40dcf12dfe2f50b71e618dd3505797f6ff43b0746ea184523c96e
-
SHA512
84cc42399d13973b6bc7e9064de38c4bf21c722b58acc9e85ef4758db21354115ae7ebd4fbff7fa8277232a595cfe2f86c02a0eebb14542f70f0534e689bdf1f
Static task
static1
Behavioral task
behavioral1
Sample
euthree_20220223-152100.exe
Resource
win7-20220223-en
Malware Config
Extracted
vidar
50.3
565
https://mastodon.social/@kill5rnax
https://noc.social/@kill6nix
-
profile_id
565
Targets
-
-
Target
euthree_20220223-152100
-
Size
715KB
-
MD5
e85b53cfc10a864ca485bde23806012f
-
SHA1
398452a5bdfddf79138190ca0fcfa43a79e536fc
-
SHA256
b54b7ff373d40dcf12dfe2f50b71e618dd3505797f6ff43b0746ea184523c96e
-
SHA512
84cc42399d13973b6bc7e9064de38c4bf21c722b58acc9e85ef4758db21354115ae7ebd4fbff7fa8277232a595cfe2f86c02a0eebb14542f70f0534e689bdf1f
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-