General
-
Target
9b5c929fac4e73db871d1889683bb3647fac5530927e1a4ea65bc82d103c457e
-
Size
8KB
-
Sample
220319-nzm5bshbfj
-
MD5
f045b3a46912d06d0cb66efa0bcac944
-
SHA1
318b70eb1556e9bd4c54cb44e415f95317627185
-
SHA256
9b5c929fac4e73db871d1889683bb3647fac5530927e1a4ea65bc82d103c457e
-
SHA512
1d6ba8a40f5b195ab6fabd0db3a358d4e719fe245aef8d776dcedbc7d7648a7465fceb4c8e8c3315466b59c1f36bb30f2eeb8c321b7f2475c9bbbb5080653e10
Static task
static1
Behavioral task
behavioral1
Sample
9b5c929fac4e73db871d1889683bb3647fac5530927e1a4ea65bc82d103c457e.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
9b5c929fac4e73db871d1889683bb3647fac5530927e1a4ea65bc82d103c457e.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
vidar
48.6
933
https://mastodon.online/@valhalla
https://koyu.space/@valhalla
-
profile_id
933
Targets
-
-
Target
9b5c929fac4e73db871d1889683bb3647fac5530927e1a4ea65bc82d103c457e
-
Size
8KB
-
MD5
f045b3a46912d06d0cb66efa0bcac944
-
SHA1
318b70eb1556e9bd4c54cb44e415f95317627185
-
SHA256
9b5c929fac4e73db871d1889683bb3647fac5530927e1a4ea65bc82d103c457e
-
SHA512
1d6ba8a40f5b195ab6fabd0db3a358d4e719fe245aef8d776dcedbc7d7648a7465fceb4c8e8c3315466b59c1f36bb30f2eeb8c321b7f2475c9bbbb5080653e10
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
OnlyLogger Payload
-
Vidar Stealer
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-