General
-
Target
095735c82f4230c01b8f503ec304882934d82f2b5ab1ea2a07eaa3dc1558285f
-
Size
6.7MB
-
Sample
220530-xh3ywsffe6
-
MD5
b0a7966468dd28adb1249565082785eb
-
SHA1
db72a56263dcc0242c1bf6e617f308afaf0ea611
-
SHA256
095735c82f4230c01b8f503ec304882934d82f2b5ab1ea2a07eaa3dc1558285f
-
SHA512
fe921879a5d09e7f048ba0a99d1fa9c3f241f140dcf51a9370d7ee03f60e23536b39a2c66cd896d549f8b867d9cf3df643ad99a97eec05ff8acb9e0d3d756633
Static task
static1
Behavioral task
behavioral1
Sample
095735c82f4230c01b8f503ec304882934d82f2b5ab1ea2a07eaa3dc1558285f.exe
Resource
win7-20220414-en
Malware Config
Extracted
vidar
41.5
933
https://mas.to/@xeroxxx
-
profile_id
933
Targets
-
-
Target
095735c82f4230c01b8f503ec304882934d82f2b5ab1ea2a07eaa3dc1558285f
-
Size
6.7MB
-
MD5
b0a7966468dd28adb1249565082785eb
-
SHA1
db72a56263dcc0242c1bf6e617f308afaf0ea611
-
SHA256
095735c82f4230c01b8f503ec304882934d82f2b5ab1ea2a07eaa3dc1558285f
-
SHA512
fe921879a5d09e7f048ba0a99d1fa9c3f241f140dcf51a9370d7ee03f60e23536b39a2c66cd896d549f8b867d9cf3df643ad99a97eec05ff8acb9e0d3d756633
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
OnlyLogger Payload
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-