General
-
Target
AnyDesk_x64x32.zip
-
Size
8.1MB
-
Sample
221204-spkzfaba86
-
MD5
11f60048e753528d160964f2a9f627e9
-
SHA1
c0ab9eabdf5c55ee0bc4f527a09deac10642de86
-
SHA256
7f874e1018fb27609df79be210c6b4345246dd3559577afc56c561879da1dd4b
-
SHA512
0f9ffe2b3964d4b319c7a2ce1b88aaa90e3678d3375e67c3b87fd6fa25f08e9bbe3baced563c872337b807d5d154203632d7b7e27ae7641bd777a49f9d622ad1
-
SSDEEP
196608:eR5ArpeWisxTHVeZLp73qU67S9x0O7KpA7t1ZtNs:ez4UWJfS9Z7tNu
Malware Config
Extracted
vidar
55.8
1678
https://t.me/paysotr_france
-
profile_id
1678
Targets
-
-
Target
AnyDesk_x64x32/About/ExternalBoot.admx
-
Size
2KB
-
MD5
ada14c9e12ebb088628c86ada31184e6
-
SHA1
a2578366538e3de9ea2c047372217a3ff3ff25fb
-
SHA256
4bd2d8e664271482adfdb53411298577d2bb7c5cf18a6fff30fd8f40abb17ff4
-
SHA512
147a0d77b2c8e66a97d22e62d15248fc93c0a82d8529628a9612c7aac7dc48ccb3ca8fda317ccc0372e0c9001e8cdf8fa8d12e47d84412df3ddee0b1bebbd93f
Score1/10 -
-
-
Target
AnyDesk_x64x32/About/en-US/ControlPanelDisplay.adml
-
Size
20KB
-
MD5
61cb7046c23a14515c58521dad36ab6f
-
SHA1
62ec7a88975656944fd8ca72924a916336112465
-
SHA256
a4f9a17502e8aba9e82c5c324cbed40e109a565ca2e27b3d79389f1a595b3ccd
-
SHA512
13473deade6477440d9515c9fc6babecdb59fe9a806633b003b14e71ec6e762dd9e13a9bfd1dfed554d7ca6a664b3c1ef0ceb7c8278f22cc0e0eeb793e697c1f
-
SSDEEP
384:VfRyKGkSDgF+vXDtchtrWzsbHX92eLb2vB1E4RRN9:VfRXTCrvXDWrWziN2ZvB1fRX
Score1/10 -
-
-
Target
AnyDesk_x64x32/About/en-US/Cpls.adml
-
Size
1KB
-
MD5
3a236d3ed9a6eae336de47bd71132d58
-
SHA1
621c59891b91951f2e863eefea2d8310fb5125e3
-
SHA256
ef075f5436a4117c29f2d6689a8ed6acc3ba22eafbdeea20c2349dba5cfe1f33
-
SHA512
862aabb60effac016188cf56bb6ec48f7e4f6847b4a1a4a525c1fd93daa0269e0cb02dc8362f5b3029f817d1096b8c5bb48fa1717fe4084e2a99cde13a3ce573
Score1/10 -
-
-
Target
AnyDesk_x64x32/About/en-US/CredSsp.adml
-
Size
19KB
-
MD5
3f887766536ae5c7677e841c9a1e86f6
-
SHA1
c3bfb966d06df84a5bd9fcdd9c0caf23a4f85b28
-
SHA256
91a36f497d459ef96b4cedb88ee0884651d8b5c0eabce1c1f4fec6d49ff71a31
-
SHA512
7777ff19b4b1108a2688d02f25ac69e3f66d87f44a42ad60596b447188728b231e148e67390b39b7cbcf62e83121ecb55a84cb3d72a55827c0489fadaba5469c
-
SSDEEP
192:EYLfqDwf4tdJ11wpL9uiansm9cjoOkfmW/MQfB:9qtVPaxu5mUTOYJ
Score1/10 -
-
-
Target
AnyDesk_x64x32/About/en-US/CredUI.adml
-
Size
3KB
-
MD5
1c00f0e54b646baca8571fc0b7be9582
-
SHA1
0494d0849b95970d96e480c9b00c3694e4d50029
-
SHA256
625371bba40530a9a4a88e167b4870634f7583bb601d16954ed8ff4a0e5242e9
-
SHA512
99a2b51a6addf470b15dfdc2d3d32ca305113c427cdf7c3b85fd3bd43f17b989b5bea38ba78821da5a8978437dd3e484ccb283d9b01b737c05c4b7d82288d749
Score7/10-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
-
-
Target
AnyDesk_x64x32/About/en-US/CredentialProviders.adml
-
Size
5KB
-
MD5
b735ff00bd6511f0525c74881042cfbf
-
SHA1
f9540a99e5654ea5f6b7aaf49ce35f591cec2863
-
SHA256
ff1b853b846ea63064ad460b42c44230de008297b6a2ddb8daa48991a5684c14
-
SHA512
a585ae89c4b13a6a2de50d414069fe40d3db53395a4e79b5865b530acc6963b2c89647d2735b27229503b58bac47b4c43b38e6e2beb00b81ec6f1d76db441c06
-
SSDEEP
96:LeD5pmAznn5XkKkcx1ftU6beY3rqFimzWSsdK/l+3yY8V:Ejznn5XkJcx1fdPrqFOXU/loyb
Score1/10 -
-
-
Target
AnyDesk_x64x32/About/en-US/CtrlAltDel.adml
-
Size
3KB
-
MD5
8eb6cbecfcfb7fb15e453e235713f0d2
-
SHA1
37170ba6139bd471c4121ed7747e8c9544e64e4a
-
SHA256
23eaf2144b343acce5ec33dfb0363ba5b53e1ed8f5e0557f7597f02c1a659b0c
-
SHA512
f3b96c2721592e9c5cd8caf20daccae170b46bdbbbd24d4a6d1acc3ca3d10bfa9ac23da2b5b3f9cf7d9f7918236c1c686918bb392595c634e97b56070aede007
Score1/10 -
-
-
Target
AnyDesk_x64x32/About/en-US/DCOM.adml
-
Size
4KB
-
MD5
7df9e61d5f72660a48741a9d1ae6df2a
-
SHA1
a623bd2021eaa8863519e110e2c4d141d68e6dee
-
SHA256
bd0e69bf353115e23b4344875da15df78bd4adf676eeab35aed30a21c129ebed
-
SHA512
726fc2bd5444e1791811c9f39b3b535d155aa0ba2ac8b50f7a8b6faf48e7bedbd542c96c701a1cd58b1c89b89da04d9c175e9ccde70da27c92e073e570138dd1
-
SSDEEP
96:LeD5pmc4qzQuQ+kCO+QW9JvqIiErBAqHPkGitHqEJw2mL8ykL3/NBV:El4qE9+kCOtW9dqIiErBAgPk/tKEJw2D
Score1/10 -
-
-
Target
AnyDesk_x64x32/About/en-US/DFS.adml
-
Size
1KB
-
MD5
59649458234fa8ec0fa1ccf6d1a1f000
-
SHA1
fa84dc8c633ac66d93c2cc4ca82973690cc01b06
-
SHA256
7c621bdfa9aafbb72c6e3eaa6bd9dadb9b87b76ff3085c3ab85f94a4ba74148b
-
SHA512
3dac7345cdf6e474ec6550890d2581e97ceccbdf3d6da446d0b4051600b81e66725e20e3905fc8ed051e00ae74b7899ecec073c828e776fb664731218f88e528
Score1/10 -
-
-
Target
AnyDesk_x64x32/About/en-US/DWM.adml
-
Size
4KB
-
MD5
8c0c1f2ac3237b8aa71f88a5650c0e68
-
SHA1
8a39fc535339841cc7573b1dcff729cec8e54114
-
SHA256
844bf77e54e0c353537b0d1349f0173049dd36c0cb64eaee900663cd0a227ab4
-
SHA512
c6f8ac395d011ec45ebf47812ebebf7e152db6a943566b744aa83b22529df07e3d0749d008b5f3a8a46953cccf39305966869e5efe502b1e727cf55ed7a05f4f
-
SSDEEP
96:LeD5pm8i9yPYwH70day2JGkA5mZAOtfMtlV:E1i9Yn0zMA3G6
Score1/10 -
-
-
Target
AnyDesk_x64x32/AnyDesk_x64x32.exe
-
Size
745.2MB
-
MD5
5956d3d9c0cdd930cf7754cfc194feaf
-
SHA1
0ab481033c4d03850c8426a636d9c6d542d3546a
-
SHA256
9349e45e03aa3efff2c32e8987dd905ec618f80083e43c9e06f997fe52dfd7c7
-
SHA512
31b2157bb4bdf43948fa700a2720a97f95df4d158a69df14eab334dfc9594dc3f6c29bdccef65dbe7358bcfed129c51c43c3a6b614bfc9d187e18b0475822d8f
-
SSDEEP
98304:JQrLZQrLAmaY70kUpqnT/0FH1Bj81K0sFCHnkcCemOU+ltwiSqfqdNZvJbhr4H:JULZULAQ7ZTr0FH1BAoFOZPfq/S
Score10/10-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-