General
-
Target
cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67
-
Size
894KB
-
Sample
220725-evwq8seebn
-
MD5
e4c6c1ca703d77b521ace023bee2df08
-
SHA1
61e97bd5a83c7b264af225d2b75eef4bd07d5b93
-
SHA256
cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67
-
SHA512
61007ce908055fe3f1e07d9ee9f7c40dd232f5de87b924552a5090622870a95d51e4c2b8e6312dd086c0bdeed668e40119c61dfc195d609595fa98652d67c705
Static task
static1
Behavioral task
behavioral1
Sample
cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
vidar
18.2
543
http://barjamanis.com/
-
profile_id
543
Extracted
azorult
http://23.106.124.148/index.php
Targets
-
-
Target
cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67
-
Size
894KB
-
MD5
e4c6c1ca703d77b521ace023bee2df08
-
SHA1
61e97bd5a83c7b264af225d2b75eef4bd07d5b93
-
SHA256
cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67
-
SHA512
61007ce908055fe3f1e07d9ee9f7c40dd232f5de87b924552a5090622870a95d51e4c2b8e6312dd086c0bdeed668e40119c61dfc195d609595fa98652d67c705
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer
-
Executes dropped EXE
-
Registers COM server for autorun
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-