General
-
Target
fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e
-
Size
2.8MB
-
Sample
220625-ey1jlagbe6
-
MD5
42dfab1fc3e86efb33605a188238785f
-
SHA1
2143d6fc6f94dca174ceed7a2ea9af40f7a73408
-
SHA256
fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e
-
SHA512
ff06aae357ee661c5d18fd66020f20d5d5891faff803a31cb98757015f37e1fbe373a7778064b6e03d9389638d0c42701806175e0ec78506f653c83957c2f0d1
Static task
static1
Behavioral task
behavioral1
Sample
fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e.exe
Resource
win7-20220414-en
Malware Config
Extracted
vidar
25.3
539
http://rattlesnakespr.com/
-
profile_id
539
Targets
-
-
Target
fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e
-
Size
2.8MB
-
MD5
42dfab1fc3e86efb33605a188238785f
-
SHA1
2143d6fc6f94dca174ceed7a2ea9af40f7a73408
-
SHA256
fae57d3f7b959dfc9e9f7b3329c58bfb20a6473c1b35ce991cb336a6413f412e
-
SHA512
ff06aae357ee661c5d18fd66020f20d5d5891faff803a31cb98757015f37e1fbe373a7778064b6e03d9389638d0c42701806175e0ec78506f653c83957c2f0d1
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-