General
-
Target
050a72f71da53a81e6c4a30f1c693f05ef5ca60bae616ae3ef732fe8bed2b670
-
Size
3.0MB
-
Sample
220610-janbksgfgq
-
MD5
64be2ec85776f9af2e3b08bb3556ca86
-
SHA1
78bb72f72774ce9f643171817331d8f5f256e295
-
SHA256
050a72f71da53a81e6c4a30f1c693f05ef5ca60bae616ae3ef732fe8bed2b670
-
SHA512
1d3b67a1bef50639fbd42f4e9b362cbf3e9dd84c5e61c3534a5678a3d59b21de0256e5e9e17ea7b5ab51c5b4e1e0e20f61ce4bdde56857399c0d028af6d0859d
Static task
static1
Behavioral task
behavioral1
Sample
050a72f71da53a81e6c4a30f1c693f05ef5ca60bae616ae3ef732fe8bed2b670.exe
Resource
win7-20220414-en
Malware Config
Extracted
vidar
52.5
1325
https://t.me/tg_randomacc
https://indieweb.social/@ronxik333
-
profile_id
1325
Targets
-
-
Target
050a72f71da53a81e6c4a30f1c693f05ef5ca60bae616ae3ef732fe8bed2b670
-
Size
3.0MB
-
MD5
64be2ec85776f9af2e3b08bb3556ca86
-
SHA1
78bb72f72774ce9f643171817331d8f5f256e295
-
SHA256
050a72f71da53a81e6c4a30f1c693f05ef5ca60bae616ae3ef732fe8bed2b670
-
SHA512
1d3b67a1bef50639fbd42f4e9b362cbf3e9dd84c5e61c3534a5678a3d59b21de0256e5e9e17ea7b5ab51c5b4e1e0e20f61ce4bdde56857399c0d028af6d0859d
-
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
-
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-