General
-
Target
1b8e1993faa7d88c32a3cfba4af8db01b2ca57c7588b65bfe4bba68c74204c92
-
Size
4.2MB
-
Sample
220607-wzm4bscbej
-
MD5
aea7ce7cdb122cb3592a9cf011497f37
-
SHA1
356631e8716e7e2e5007270d036d769e7765fbba
-
SHA256
1b8e1993faa7d88c32a3cfba4af8db01b2ca57c7588b65bfe4bba68c74204c92
-
SHA512
d1a83cc4c14cf50f07ad97bba1518000c748788d3d3cd2ec4686f2639ff4f2e31c75e74472571e257f93615bb537391799976a55cb7ff26ee175fc78f88a623e
Static task
static1
Behavioral task
behavioral1
Sample
1b8e1993faa7d88c32a3cfba4af8db01b2ca57c7588b65bfe4bba68c74204c92.exe
Resource
win7-20220414-en
Malware Config
Extracted
vidar
9.9
231
http://rapidbtcinvest.com/
-
profile_id
231
Targets
-
-
Target
1b8e1993faa7d88c32a3cfba4af8db01b2ca57c7588b65bfe4bba68c74204c92
-
Size
4.2MB
-
MD5
aea7ce7cdb122cb3592a9cf011497f37
-
SHA1
356631e8716e7e2e5007270d036d769e7765fbba
-
SHA256
1b8e1993faa7d88c32a3cfba4af8db01b2ca57c7588b65bfe4bba68c74204c92
-
SHA512
d1a83cc4c14cf50f07ad97bba1518000c748788d3d3cd2ec4686f2639ff4f2e31c75e74472571e257f93615bb537391799976a55cb7ff26ee175fc78f88a623e
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-