General
-
Target
0dafbf8f10ab2260e9521f00a8761593446e4584327339852beca8f3af449f66
-
Size
307KB
-
Sample
230410-vptmpage9y
-
MD5
3bbb5b1e5a089ac75f370d80f1414901
-
SHA1
e33dcd8b678ca8b72bdb596f024687588320b732
-
SHA256
0dafbf8f10ab2260e9521f00a8761593446e4584327339852beca8f3af449f66
-
SHA512
b74c122d18922e3d4a86bc277ccdc83988240d996acc79125592c166bb91230665d4c0b29a284c982496089e61672ce39989fc36eb4966ab9cfcaaba1fecdc6b
-
SSDEEP
6144:S28Ed+rCJCYaISiVkNIVHSYeICIZxs6RX98H1wQUtT:4fxPINSSVHSnICCRqH1ET
Static task
static1
Behavioral task
behavioral1
Sample
0dafbf8f10ab2260e9521f00a8761593446e4584327339852beca8f3af449f66.exe
Resource
win10-20230220-en
Malware Config
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Targets
-
-
Target
0dafbf8f10ab2260e9521f00a8761593446e4584327339852beca8f3af449f66
-
Size
307KB
-
MD5
3bbb5b1e5a089ac75f370d80f1414901
-
SHA1
e33dcd8b678ca8b72bdb596f024687588320b732
-
SHA256
0dafbf8f10ab2260e9521f00a8761593446e4584327339852beca8f3af449f66
-
SHA512
b74c122d18922e3d4a86bc277ccdc83988240d996acc79125592c166bb91230665d4c0b29a284c982496089e61672ce39989fc36eb4966ab9cfcaaba1fecdc6b
-
SSDEEP
6144:S28Ed+rCJCYaISiVkNIVHSYeICIZxs6RX98H1wQUtT:4fxPINSSVHSnICCRqH1ET
-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-