General
-
Target
5E440E04F382464DB10245C9F730D64D839368EF763BB.exe
-
Size
3.2MB
-
Sample
220730-zja1lsgden
-
MD5
51f897624058278c2e5e68bc78f30c51
-
SHA1
98a5054d035323b02d8e513994231c08ebbba5b6
-
SHA256
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
-
SHA512
6ca87ae92b32efe818ab2954060ceae44b4e622b4b5907cab68171b3c6f773ac3a47574088419ec3b8fbe7857953806438bde55353c372935e04800a37456872
Static task
static1
Behavioral task
behavioral1
Sample
5E440E04F382464DB10245C9F730D64D839368EF763BB.exe
Resource
win7-20220718-en
Malware Config
Extracted
vidar
39.7
706
https://shpak125.tumblr.com/
-
profile_id
706
Targets
-
-
Target
5E440E04F382464DB10245C9F730D64D839368EF763BB.exe
-
Size
3.2MB
-
MD5
51f897624058278c2e5e68bc78f30c51
-
SHA1
98a5054d035323b02d8e513994231c08ebbba5b6
-
SHA256
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
-
SHA512
6ca87ae92b32efe818ab2954060ceae44b4e622b4b5907cab68171b3c6f773ac3a47574088419ec3b8fbe7857953806438bde55353c372935e04800a37456872
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-