General
-
Target
0479a0a09f9f9b56c485f5312238ee042ac004b221918d9357462d439e911378
-
Size
8KB
-
Sample
220319-n6plqshdb9
-
MD5
23bff7d5de1f48d92bb79dfc7a288321
-
SHA1
64a4d28663db271ebfd03f3f13d78ac80220f000
-
SHA256
0479a0a09f9f9b56c485f5312238ee042ac004b221918d9357462d439e911378
-
SHA512
b6a7aeab8bf4d7f598a5cec1031c890861796a6f7ca7e9ad409bf97a0d78b8bcb1d3b44694d6513c57f71f68f71e5b4b038e9659b1eb07cacad811239c94ec89
Static task
static1
Behavioral task
behavioral1
Sample
0479a0a09f9f9b56c485f5312238ee042ac004b221918d9357462d439e911378.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
0479a0a09f9f9b56c485f5312238ee042ac004b221918d9357462d439e911378.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
vidar
48.6
933
https://mastodon.online/@valhalla
https://koyu.space/@valhalla
-
profile_id
933
Targets
-
-
Target
0479a0a09f9f9b56c485f5312238ee042ac004b221918d9357462d439e911378
-
Size
8KB
-
MD5
23bff7d5de1f48d92bb79dfc7a288321
-
SHA1
64a4d28663db271ebfd03f3f13d78ac80220f000
-
SHA256
0479a0a09f9f9b56c485f5312238ee042ac004b221918d9357462d439e911378
-
SHA512
b6a7aeab8bf4d7f598a5cec1031c890861796a6f7ca7e9ad409bf97a0d78b8bcb1d3b44694d6513c57f71f68f71e5b4b038e9659b1eb07cacad811239c94ec89
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
OnlyLogger Payload
-
Vidar Stealer
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-