General
-
Target
dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6
-
Size
323KB
-
Sample
230412-ce98ksgh32
-
MD5
7833a64626dcb1acf40d2c42e1baa5b5
-
SHA1
476d6dbaeac411af43ee8f0d69533ccdaaf36369
-
SHA256
dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6
-
SHA512
0d8156fdc07493cc7394c5941195691ccfc84878c972d996e6ccedd3d7f5e93930a744790970b433c5212140859dea8be51f907c123c24c8b23e33a423fdd8d9
-
SSDEEP
6144:bYUh59fn+oM9ZgPI0XGCROT4OFU4MT+LMsyj003V55wh:5z9WR9ZgP7XVOTJFUZTZse0Y
Static task
static1
Behavioral task
behavioral1
Sample
dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Targets
-
-
Target
dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6
-
Size
323KB
-
MD5
7833a64626dcb1acf40d2c42e1baa5b5
-
SHA1
476d6dbaeac411af43ee8f0d69533ccdaaf36369
-
SHA256
dd9021852d9fb9c0560e195bddce79ee7a33cdef19b25ebed4cb442b865fc6d6
-
SHA512
0d8156fdc07493cc7394c5941195691ccfc84878c972d996e6ccedd3d7f5e93930a744790970b433c5212140859dea8be51f907c123c24c8b23e33a423fdd8d9
-
SSDEEP
6144:bYUh59fn+oM9ZgPI0XGCROT4OFU4MT+LMsyj003V55wh:5z9WR9ZgP7XVOTJFUZTZse0Y
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-