General
-
Target
DF26B54B984AE1B94FECDE99E7B0513A305164F900092.exe
-
Size
2.5MB
-
Sample
220531-ndpe9segbn
-
MD5
e0fe9226cd6652b14cc47ee7f35ae1d6
-
SHA1
b3de7a40c3586fe45ba1cd4e8929760d8a697250
-
SHA256
df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
-
SHA512
205e7a5f16c7b3caa4111e2949e703638655fbd2d4893932f83666da6ff247d23af72bf5953270377a59845e09104357133be76cda287808a7611421fd020de2
Static task
static1
Behavioral task
behavioral1
Sample
DF26B54B984AE1B94FECDE99E7B0513A305164F900092.exe
Resource
win7-20220414-en
Malware Config
Extracted
vidar
39.7
933
https://shpak125.tumblr.com/
-
profile_id
933
Targets
-
-
Target
DF26B54B984AE1B94FECDE99E7B0513A305164F900092.exe
-
Size
2.5MB
-
MD5
e0fe9226cd6652b14cc47ee7f35ae1d6
-
SHA1
b3de7a40c3586fe45ba1cd4e8929760d8a697250
-
SHA256
df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
-
SHA512
205e7a5f16c7b3caa4111e2949e703638655fbd2d4893932f83666da6ff247d23af72bf5953270377a59845e09104357133be76cda287808a7611421fd020de2
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Vidar Stealer
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-