General
-
Target
0f05baf410acbdb5472a53529bf2000b.exe
-
Size
308KB
-
Sample
230411-ljsnrsdc8w
-
MD5
0f05baf410acbdb5472a53529bf2000b
-
SHA1
109fe4c8b160e56cbdbcdb226b155013c2050b53
-
SHA256
257f3227f28be3d46cbb43378f0c59bbbff01638b3935c704726ab7384e339cf
-
SHA512
e9a23c9422227b9500392266c4c454f7a800579916e1d530037ac5185e1b5ff80cc035c449dc04e9cd382125ce166cf560adea5525798972143b18beb1b20713
-
SSDEEP
6144:pYisWyuxC0oU/CuV2npwuLRkMjIYBe0IgPYjafUfSgx2O:pYisexeUCPp1EYBe0IXasfp
Static task
static1
Behavioral task
behavioral1
Sample
0f05baf410acbdb5472a53529bf2000b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0f05baf410acbdb5472a53529bf2000b.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Targets
-
-
Target
0f05baf410acbdb5472a53529bf2000b.exe
-
Size
308KB
-
MD5
0f05baf410acbdb5472a53529bf2000b
-
SHA1
109fe4c8b160e56cbdbcdb226b155013c2050b53
-
SHA256
257f3227f28be3d46cbb43378f0c59bbbff01638b3935c704726ab7384e339cf
-
SHA512
e9a23c9422227b9500392266c4c454f7a800579916e1d530037ac5185e1b5ff80cc035c449dc04e9cd382125ce166cf560adea5525798972143b18beb1b20713
-
SSDEEP
6144:pYisWyuxC0oU/CuV2npwuLRkMjIYBe0IgPYjafUfSgx2O:pYisexeUCPp1EYBe0IXasfp
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-